Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
300
Views
0
Helpful
1
Replies

NAT/PAT overload on a range of addresses

jroyster
Level 1
Level 1

‎07-30-2003 12:20 PM - edited ‎03-09-2019 04:15 AM

Howdy,

Believe it or not I'm running out of PAT translations on a single IP address for an enterprise network. Is there any way I can have a range of say 50 IP addresses and run PAT on all of them?

I thought the normal behavior for PAT or "overload" on a range would be to use the entire range for one-to-one NAT and the last address in the range would be PAT.

The pixes are 525s running 6.2(2).

Thanks in advanced.

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎07-30-2003 05:11 PM

If you have the following:

> global (outside) 1 100.1.1.1-100.1.1.254

then the PIX will just be doing NAT (one-to-one) translations, no PAT, and you'll only be able to create 254 connections outbound.

If you have the following:

> global (outside) 1 100.1.1.1-100.1.1.253

> global (outside) 1 100.1.1.254

then the PIX will do one-to-one NAT translations on the first 253 addresses available, and when they run out it will use .254 as a PAT address, giving you around 65000 additional connections (see below for a caveat to this).

If you want to create more PAT translations cause you're running out of them, then you do the following:

> global (outside) 1 100.1.1.1-100.1.1.252

> global (outside) 1 100.1.1.253

> global (outside) 1 100.1.1.254

If you need another PAT address, just remove .252 from the NAT pool and add another line similar to the .253 and .254 lines above, each one will give you additional connections.

CAVEAT

The PIX PATs addresses using the following rules:

- If the source port is TCP/UDP 1-511, then the PIX will PAT the SRC address to one in that range.

- If the source port is TCP/UDP 512-1023, then the PIX will PAT the SRC address to one in that range.

- If the source port is TCP/UDP 1024-65535, then the PIX will PAT the SRC address to one in that range.

So, if you have a large number of connections outbound with source ports below say, 500, then you will only get 500 translations out of one address, rather than the possible 65000. This all depends on what your internal SW uses as its source port, the norm is to use a high port (> 1024) in which case you'll get around 64900 translations per address.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents