cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
434
Views
0
Helpful
3
Replies

NAT ID Limit

clyded
Level 1
Level 1

I have a customer that has an ISP that is constantly requesting the locaiton of a specific IP address, due to copy right issues related to downloads. The firewall has the standard one NAT ID that has a few Global IPs asscociated to it and all users appear to the ISP as one of those global IPs.

What is the real limit to the number of NAT IDs on an ASA5550. The customer has 80 sites and we were thinking of putting a global IP for each and a separate NAT ID for each site with a policy NAT ACL. This way the customer could easly identify the locaiton of the violation. Has anyone approached this problem in this manner? Technicaly the NAT ID can be from 0-65000, but what is the real working limit?

3 Replies 3

a.kiprawih
Level 7
Level 7

Max NAT ID with new PIX/ASA 7.2 is 2147483647.

See below on Cisco PIX/ASA 7.2 NAT command info:

nat_id :

Specifies an integer for the NAT ID. For regular NAT, this integer is between 1 and 2147483647. For policy NAT (nat id access-list), this integer is between 1 and 65535.

Identity NAT (nat 0) and NAT exemption (nat 0 access-list) use the NAT ID of 0.

This ID is referenced by the global command to associate a global pool with the real_ip.

Pls rate if this helps.

AK

Thanks for correcting me on the excat NAT ID number, I got my facts mixed up. The meat of the question is about the preformance on an ASA 5550 with that 80 or so NAT IDs running with an adverage of 200 PCs behind each NAT ID or is there a better way of handling this?

Clyde,

I queried a colleague with your question. He works for Cisco Remote Operation Center which manages, among other things, customer security deployments (firewalls, NIPS, CSA, etc). Here was his response based upon his experience with a PIX firewall:

I have done 35 separate nat statements in a PIX running older 6.x code with no issues. I am sure the number is much higher than that but then you may run into memory buffer issues. Probably could configure a syslog server with a script to pull the xlate table every so many minutes to capture the translations with all of the connection information. It would have to be done off the firewall in logs with that many connections.

-don

I hope this is insightful. Good luck Clyde.

Regards,

Troy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: