04-27-2009 05:49 AM - edited 03-11-2019 08:24 AM
All,
Is there documentation somewhere that states how many users can run behind pat? I've got between 300 - 1000 at any one time that can be on, and currently I'm using the interface address on the asa to do this with. I was wondering if I needed to set aside a couple more addresses to go out on, or if I should be okay with this many users. It's a 5550.
Thanks,
John
Solved! Go to Solution.
04-27-2009 06:26 AM
John
As you know PAT uses the port number in addition to changing the IP address to hide the private address.
The port field in the IP header is a 16bit unsigned integer. This means the value of the port field can be 0 -> 65535. Take away the ports between 0 and 1024 and you still have an awful lot of port numbers.
It's not quite as simple as that as a single user may generate a large number of PAT translations depending on the application and how it works. But i would think you should be okay as i have run far more than 1000 users through a firewall with a single IP address.
If the firewall does run out it should tell you anyway by reporting that it has no available xlate for the connection.
Jon
04-27-2009 06:26 AM
John
As you know PAT uses the port number in addition to changing the IP address to hide the private address.
The port field in the IP header is a 16bit unsigned integer. This means the value of the port field can be 0 -> 65535. Take away the ports between 0 and 1024 and you still have an awful lot of port numbers.
It's not quite as simple as that as a single user may generate a large number of PAT translations depending on the application and how it works. But i would think you should be okay as i have run far more than 1000 users through a firewall with a single IP address.
If the firewall does run out it should tell you anyway by reporting that it has no available xlate for the connection.
Jon
04-27-2009 06:30 AM
Thanks Jon! Well, I have to tell you that our first test for the firewall replacement, replacing the Symantec with the ASA, went 99% flawlessly on Friday night. I was very pleased with the way it went. :-)
John
04-27-2009 06:32 AM
John
"I have to tell you that our first test for the firewall replacement, replacing the Symantec with the ASA, went 99% flawlessly on Friday night"
That's very impressive as translating configs between different vendor firewalls is never easy. Glad to hear it went so well, with the added bonus that you now know a whole lot more about Cisco ASA's :-)
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide