NAT capacity

Dear ,

      I have ASA5580 Firewall , i want ask how many private IP's can access out site by one  public IP with out decrease performance of ASA (delay , load in CPU .. etc ) .

Idea i have 20000 user's how mach  Public IP i sue for NAT  ,  with out happen load in CPU of ASA and have High performance   , please give ur recommend  ...
memo12345678Asked:
Who is Participating?
 
John MeggersConnect With a Mentor Network ArchitectCommented:
I can't tell you specifically that there will be no impact, I've never done that many concurrent PATs. I'm really trying to draw a conclusion based on other performance metrics, and I'm just saying I wouldn't expect there to be any significant impact based on total concurrent connections the box is capable of handling (2,000,000).
0
 
John MeggersNetwork ArchitectCommented:
The 5580 can handle a lot but for NAT to a single address you're inherently limited by the 65535 ports. The 5580 can handle 2 million concurrent connections so 20,000 NATs shouldn't be a problem.
0
 
memo12345678Author Commented:
so mean if I make all my current 20,000 user's go by single IP (PAT )  doesn't effect in performance and delay of request !!
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
memo12345678Author Commented:
so mean if I make all my current 20,000 user's go by single IP (PAT )  doesn't effect in performance and delay of request !!
0
 
ArneLoviusConnect With a Mentor Commented:
as each connection (not internal host) will use a new NAT table entry, if the traffic for 20k users is going through a single address, it would be fine if each user just had a single SSH session, but not if they were browsing the internet.

While browsing the "modern" internet, each user should have the available capacity to have at least 100 sessions open, for 20k users that would be 2m session, which divided by 64k is 31.5, so I would allocate 33 addresses in your NAT pool.

If you used an internal proxy server, this could be significantly reduced.


0
 
memo12345678Author Commented:
thx alot for these info
0
 
John MeggersNetwork ArchitectCommented:
@ArneLovius:
I agree that multiple sessions will result in multiple translations.  But I've never seen a configuration where multiple addresses are used for PAT in a single nat / global group configuration.  In IOS, you can specify a range of addresses, then add the "overload" key word, but I don't believe this option is available in the ASA; if you specify a single address, overload (PAT) is assumed.

The only option I can think of for the ASA is multiple NAT configurations where blocks of internal addresses are PATed to a single external address, and this is repeated. As you point out, you'd need 33 outside addresses, although if this approach was taken it would probably be easier to do it based on /23 blocks, in which case 40 NAT configurations would be required.  

Is there another way you'd approach this, or is this what you had in mind?
0
 
ArneLoviusConnect With a Mentor Commented:
@jmeggers first create a NAT pool, then use the pool for dynamic NAT, if you have multiple internal subnets, you can use policy based dynamic NAT to subdivide it further.
0
 
memo12345678Author Commented:
thank to all
0
 
John MeggersNetwork ArchitectCommented:
@ArneLovius  -- Thanks for the suggestion.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.