The Firewall, when translating for NAT overload (or PAT), splits the available ports into three pools:
When the Firewall initially starts to perform port translation, it begins with the lowest port number in each pool. This means the first packet sourced internally from a high port will be sent to the Internet could with a new source port of 1024. The next high port translation will go out with a source port of 1025, so on and so forth.
Here's a link to a Cisco document where you can find more about this;
Your questions is bit intresting and tough one to answer.
Typically for the dynamic NAT If you use access-list then 65535 is the limit. If other case of dynamic NAT is having the limit which is of huge range like 21474836478 is the limit where you can create nat and global commands.
When it comes for static NAT i guess that also has the same limit as such 65535.
There is document http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/nat-rules.html#40794 saying that
-- Extended PAT—The extended keyword enables extended PAT. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80.
So maximum number of NAT (in my exmaple PAT) translations depends on available memory, CPU speed and actual configuration of the ASA. In other words, there is no 65535 maximum.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...