Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

NAT ID Limit

I have a customer that has an ISP that is constantly requesting the locaiton of a specific IP address, due to copy right issues related to downloads. The firewall has the standard one NAT ID that has a few Global IPs asscociated to it and all users appear to the ISP as one of those global IPs.

What is the real limit to the number of NAT IDs on an ASA5550. The customer has 80 sites and we were thinking of putting a global IP for each and a separate NAT ID for each site with a policy NAT ACL. This way the customer could easly identify the locaiton of the violation. Has anyone approached this problem in this manner? Technicaly the NAT ID can be from 0-65000, but what is the real working limit?

3 REPLIES

Re: NAT ID Limit

Max NAT ID with new PIX/ASA 7.2 is 2147483647.

See below on Cisco PIX/ASA 7.2 NAT command info:

nat_id :

Specifies an integer for the NAT ID. For regular NAT, this integer is between 1 and 2147483647. For policy NAT (nat id access-list), this integer is between 1 and 65535.

Identity NAT (nat 0) and NAT exemption (nat 0 access-list) use the NAT ID of 0.

This ID is referenced by the global command to associate a global pool with the real_ip.

Pls rate if this helps.

AK

New Member

Re: NAT ID Limit

Thanks for correcting me on the excat NAT ID number, I got my facts mixed up. The meat of the question is about the preformance on an ASA 5550 with that 80 or so NAT IDs running with an adverage of 200 PCs behind each NAT ID or is there a better way of handling this?

Cisco Employee

Re: NAT ID Limit

Clyde,

I queried a colleague with your question. He works for Cisco Remote Operation Center which manages, among other things, customer security deployments (firewalls, NIPS, CSA, etc). Here was his response based upon his experience with a PIX firewall:

I have done 35 separate nat statements in a PIX running older 6.x code with no issues. I am sure the number is much higher than that but then you may run into memory buffer issues. Probably could configure a syslog server with a script to pull the xlate table every so many minutes to capture the translations with all of the connection information. It would have to be done off the firewall in logs with that many connections.

-don

I hope this is insightful. Good luck Clyde.

Regards,

Troy

161
Views
0
Helpful
3
Replies
CreatePlease to create content