Solved

NAT capacity

Posted on 2011-09-03
10
390 Views
Last Modified: 2012-08-13
Dear ,

      I have ASA5580 Firewall , i want ask how many private IP's can access out site by one  public IP with out decrease performance of ASA (delay , load in CPU .. etc ) .

Idea i have 20000 user's how mach  Public IP i sue for NAT  ,  with out happen load in CPU of ASA and have High performance   , please give ur recommend  ...
0
Comment
Question by:memo12345678
  • 4
  • 4
  • 2
10 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36480271
The 5580 can handle a lot but for NAT to a single address you're inherently limited by the 65535 ports. The 5580 can handle 2 million concurrent connections so 20,000 NATs shouldn't be a problem.
0
 

Author Comment

by:memo12345678
ID: 36480359
so mean if I make all my current 20,000 user's go by single IP (PAT )  doesn't effect in performance and delay of request !!
0
 

Author Comment

by:memo12345678
ID: 36480360
so mean if I make all my current 20,000 user's go by single IP (PAT )  doesn't effect in performance and delay of request !!
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 18

Accepted Solution

by:
jmeggers earned 167 total points
ID: 36483606
I can't tell you specifically that there will be no impact, I've never done that many concurrent PATs. I'm really trying to draw a conclusion based on other performance metrics, and I'm just saying I wouldn't expect there to be any significant impact based on total concurrent connections the box is capable of handling (2,000,000).
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 333 total points
ID: 36484075
as each connection (not internal host) will use a new NAT table entry, if the traffic for 20k users is going through a single address, it would be fine if each user just had a single SSH session, but not if they were browsing the internet.

While browsing the "modern" internet, each user should have the available capacity to have at least 100 sessions open, for 20k users that would be 2m session, which divided by 64k is 31.5, so I would allocate 33 addresses in your NAT pool.

If you used an internal proxy server, this could be significantly reduced.


0
 

Author Comment

by:memo12345678
ID: 36488007
thx alot for these info
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36491033
@ArneLovius:
I agree that multiple sessions will result in multiple translations.  But I've never seen a configuration where multiple addresses are used for PAT in a single nat / global group configuration.  In IOS, you can specify a range of addresses, then add the "overload" key word, but I don't believe this option is available in the ASA; if you specify a single address, overload (PAT) is assumed.

The only option I can think of for the ASA is multiple NAT configurations where blocks of internal addresses are PATed to a single external address, and this is repeated. As you point out, you'd need 33 outside addresses, although if this approach was taken it would probably be easier to do it based on /23 blocks, in which case 40 NAT configurations would be required.  

Is there another way you'd approach this, or is this what you had in mind?
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 333 total points
ID: 36493953
@jmeggers first create a NAT pool, then use the pool for dynamic NAT, if you have multiple internal subnets, you can use policy based dynamic NAT to subdivide it further.
0
 

Author Closing Comment

by:memo12345678
ID: 36540916
thank to all
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36544434
@ArneLovius  -- Thanks for the suggestion.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question