Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

NAT capacity

Posted on 2011-09-03
10
Medium Priority
?
402 Views
Last Modified: 2012-08-13
Dear ,

      I have ASA5580 Firewall , i want ask how many private IP's can access out site by one  public IP with out decrease performance of ASA (delay , load in CPU .. etc ) .

Idea i have 20000 user's how mach  Public IP i sue for NAT  ,  with out happen load in CPU of ASA and have High performance   , please give ur recommend  ...
0
Comment
Question by:memo12345678
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
10 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36480271
The 5580 can handle a lot but for NAT to a single address you're inherently limited by the 65535 ports. The 5580 can handle 2 million concurrent connections so 20,000 NATs shouldn't be a problem.
0
 

Author Comment

by:memo12345678
ID: 36480359
so mean if I make all my current 20,000 user's go by single IP (PAT )  doesn't effect in performance and delay of request !!
0
 

Author Comment

by:memo12345678
ID: 36480360
so mean if I make all my current 20,000 user's go by single IP (PAT )  doesn't effect in performance and delay of request !!
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 18

Accepted Solution

by:
jmeggers earned 501 total points
ID: 36483606
I can't tell you specifically that there will be no impact, I've never done that many concurrent PATs. I'm really trying to draw a conclusion based on other performance metrics, and I'm just saying I wouldn't expect there to be any significant impact based on total concurrent connections the box is capable of handling (2,000,000).
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 999 total points
ID: 36484075
as each connection (not internal host) will use a new NAT table entry, if the traffic for 20k users is going through a single address, it would be fine if each user just had a single SSH session, but not if they were browsing the internet.

While browsing the "modern" internet, each user should have the available capacity to have at least 100 sessions open, for 20k users that would be 2m session, which divided by 64k is 31.5, so I would allocate 33 addresses in your NAT pool.

If you used an internal proxy server, this could be significantly reduced.


0
 

Author Comment

by:memo12345678
ID: 36488007
thx alot for these info
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36491033
@ArneLovius:
I agree that multiple sessions will result in multiple translations.  But I've never seen a configuration where multiple addresses are used for PAT in a single nat / global group configuration.  In IOS, you can specify a range of addresses, then add the "overload" key word, but I don't believe this option is available in the ASA; if you specify a single address, overload (PAT) is assumed.

The only option I can think of for the ASA is multiple NAT configurations where blocks of internal addresses are PATed to a single external address, and this is repeated. As you point out, you'd need 33 outside addresses, although if this approach was taken it would probably be easier to do it based on /23 blocks, in which case 40 NAT configurations would be required.  

Is there another way you'd approach this, or is this what you had in mind?
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 999 total points
ID: 36493953
@jmeggers first create a NAT pool, then use the pool for dynamic NAT, if you have multiple internal subnets, you can use policy based dynamic NAT to subdivide it further.
0
 

Author Closing Comment

by:memo12345678
ID: 36540916
thank to all
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36544434
@ArneLovius  -- Thanks for the suggestion.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question