If you have more than one

daffrandy · ‎01-20-2016

Not sure if this is the correct forum or not, but I have a question about the PAT/NAT Overload and the Maximum addresses i can use.

I have seen there is a theoretical Maximum of approx 65000 addresses but cannot seem to find a best practice of how many private IP addresses you really should overload behind a single public IP address.

Currently I have a single public IP with a /16 behind it.

I am using an ASA 5585.

I am thinking, that since I have several public IPs that I divide it by four:

in the ranges:

x.x.0.1 to 64.255 inside to public outside IP 1

x.x.65.0 to 128.255 inside to public outside IP 2

x.x.129.0 to 192.255 inside to public outside IP 3

x.x.193.0 to x.x.255.254 inside to public outside IP 4

Any knowledge is good knowledge on this subject.

Thanks!

rvarelac · ‎01-20-2016

Hi daffrandy,

According with the documentation:

When configuring for PAT (overloading), what is the maximum number of translations that can be created per inside global IP address?

PAT (overloading) divides the available ports per global IP address into three ranges: 0-511, 512-1023, and 1024-65535. PAT assigns a unique source port for each UDP or TCP session. It attempts to assign the same port value of the original request, but if the original source port has already been used, it starts scanning from the beginning of the particular port range to find the first available port and assigns it to the conversation.

Is up to you if you want to use more than one public IP on the ASA for the translations.

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html

Hope it helps

-Randy-

daffrandy · ‎01-21-2016

The ASA will be working very hard.

Its better to break up the class B then behind multiple public ips.

That will be my next course of action.

we get 7 to 10 thousand devices on the class B at peak times.

Richard Bradfield · ‎01-21-2016

If you have more than one public IP then I would use them. I have split traffic according to my network locations( all Internet connections come through our main site) so it gives me an idea how much Internet traffic each site generates.

daffrandy · ‎01-21-2016

I think that since I have the luxury, I am going to divide the class B by 16.

that will give me approx 4000 private addresses per public ip.

Thanks!

Dan

design1balu1 · ‎01-21-2016

PAT (overloading) divides the available ports per global IP address into three ranges: 0-511, 512-1023, and 1024-65535. PAT assigns a unique source port for each UDP or TCP session. It attempts to assign the same port value of the original request,

design1balu1 · ‎01-22-2016

It attempts to assign the same port value of the original request, but if the original source port has already been used, it starts scanning from the beginning of the particular port range to find the first available port and assigns it to the conversation.

design1balu1 · ‎01-21-2016

PAT (overloading) divides the available ports per global IP address into three ranges: 0-511, 512-1023, and 1024-65535.

daffrandy · ‎01-21-2016

I think that's what is a theoretical Max. What I'm looking for is a best practice. If dividing a private class be up between 32 or 64 different ranges will make the network less congested going out then why not use that if you have the luxury? If you have a class B behind One address that would probably be a bottleneck and a source of congestion. What I am seeing on my network is webpages loading slowly or taking several refreshes to load.This only occurs with NATed clients. Clients on our public range are not experiencing the issue.

PAT/NAT Overload Maximum addresses