Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1977
Views
0
Helpful
3
Replies

NAT Vs PAT

Go to solution
haithamnofal
Level 3
Level 3

‎12-31-2006 07:31 AM - edited ‎03-11-2019 02:14 AM

Hi All,

I have one quick question about NAT config in ASA; I have done a configuration like this:

nat (inside) 1 0 0

global (outside) 1 x.x.x.6-x.x.x.9

But this configuration has caused me problems when more than 4 users was trying to connect at the same time. So, I had to PAT one IP of them as follows to make that work:

global (outside) 1 x.x.x.9

I was thinking that when doing NATing, as I was doing in the 1st place, PATing also will be taken care of if the NAT pool was not enough.

1- Can you please confirm to me how will NAT work then and whether each user will only get one IP only from the NAT pool or whether PATing will happen as well?

2- Also, what is the maximum number of users that 1 PAT IP can handle, and is it the # of users that is PATed or the # of connections?

Thanks,

Haitham

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dstalls
Level 1
Level 1
In response to haithamnofal

‎12-31-2006 02:24 PM

Yup, you got it.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
dstalls
Level 1
Level 1

‎12-31-2006 11:55 AM

If you have two statements, one that lists a range of IPs, and one that lists just one IP, then the default will be for ASA to give out dedicated IPs for each client it can to fill up the IP range. Then once there are no more IPs available, it will start to PAT every subsequent inside host that needs to be NATed.

The number of connections one IP can support when using PAT, is roughly 65,500. It is based on the number of connections, not the number of IPs on the inside.

Cheers

0 Helpful

Go to solution
haithamnofal
Level 3
Level 3
In response to dstalls

‎12-31-2006 01:24 PM

Thanks.. so, I understand from you that when configuring the following command:

global (outside) 1 x.x.x.6-x.x.x.8

that 3 hosts will only be allowed to initiate connections through the ASA? No PATing will take place when applying this command without the "global (outside) 1 x.x.x.9" command?

Regards,

Haitham

0 Helpful

Go to solution
dstalls
Level 1
Level 1
In response to haithamnofal

‎12-31-2006 02:24 PM

Yup, you got it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card