I have a customer that has an ISP that is constantly requesting the locaiton of a specific IP address, due to copy right issues related to downloads. The firewall has the standard one NAT ID that has a few Global IPs asscociated to it and all users appear to the ISP as one of those global IPs.
What is the real limit to the number of NAT IDs on an ASA5550. The customer has 80 sites and we were thinking of putting a global IP for each and a separate NAT ID for each site with a policy NAT ACL. This way the customer could easly identify the locaiton of the violation. Has anyone approached this problem in this manner? Technicaly the NAT ID can be from 0-65000, but what is the real working limit?
Thanks for correcting me on the excat NAT ID number, I got my facts mixed up. The meat of the question is about the preformance on an ASA 5550 with that 80 or so NAT IDs running with an adverage of 200 PCs behind each NAT ID or is there a better way of handling this?
I queried a colleague with your question. He works for Cisco Remote Operation Center which manages, among other things, customer security deployments (firewalls, NIPS, CSA, etc). Here was his response based upon his experience with a PIX firewall:
I have done 35 separate nat statements in a PIX running older 6.x code with no issues. I am sure the number is much higher than that but then you may run into memory buffer issues. Probably could configure a syslog server with a script to pull the xlate table every so many minutes to capture the translations with all of the connection information. It would have to be done off the firewall in logs with that many connections.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :