?
Solved

NAT capacity

Posted on 2011-09-03
10
Medium Priority
?
398 Views
Last Modified: 2012-08-13
Dear ,

      I have ASA5580 Firewall , i want ask how many private IP's can access out site by one  public IP with out decrease performance of ASA (delay , load in CPU .. etc ) .

Idea i have 20000 user's how mach  Public IP i sue for NAT  ,  with out happen load in CPU of ASA and have High performance   , please give ur recommend  ...
0
Comment
Question by:memo12345678
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
10 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36480271
The 5580 can handle a lot but for NAT to a single address you're inherently limited by the 65535 ports. The 5580 can handle 2 million concurrent connections so 20,000 NATs shouldn't be a problem.
0
 

Author Comment

by:memo12345678
ID: 36480359
so mean if I make all my current 20,000 user's go by single IP (PAT )  doesn't effect in performance and delay of request !!
0
 

Author Comment

by:memo12345678
ID: 36480360
so mean if I make all my current 20,000 user's go by single IP (PAT )  doesn't effect in performance and delay of request !!
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 18

Accepted Solution

by:
jmeggers earned 501 total points
ID: 36483606
I can't tell you specifically that there will be no impact, I've never done that many concurrent PATs. I'm really trying to draw a conclusion based on other performance metrics, and I'm just saying I wouldn't expect there to be any significant impact based on total concurrent connections the box is capable of handling (2,000,000).
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 999 total points
ID: 36484075
as each connection (not internal host) will use a new NAT table entry, if the traffic for 20k users is going through a single address, it would be fine if each user just had a single SSH session, but not if they were browsing the internet.

While browsing the "modern" internet, each user should have the available capacity to have at least 100 sessions open, for 20k users that would be 2m session, which divided by 64k is 31.5, so I would allocate 33 addresses in your NAT pool.

If you used an internal proxy server, this could be significantly reduced.


0
 

Author Comment

by:memo12345678
ID: 36488007
thx alot for these info
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36491033
@ArneLovius:
I agree that multiple sessions will result in multiple translations.  But I've never seen a configuration where multiple addresses are used for PAT in a single nat / global group configuration.  In IOS, you can specify a range of addresses, then add the "overload" key word, but I don't believe this option is available in the ASA; if you specify a single address, overload (PAT) is assumed.

The only option I can think of for the ASA is multiple NAT configurations where blocks of internal addresses are PATed to a single external address, and this is repeated. As you point out, you'd need 33 outside addresses, although if this approach was taken it would probably be easier to do it based on /23 blocks, in which case 40 NAT configurations would be required.  

Is there another way you'd approach this, or is this what you had in mind?
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 999 total points
ID: 36493953
@jmeggers first create a NAT pool, then use the pool for dynamic NAT, if you have multiple internal subnets, you can use policy based dynamic NAT to subdivide it further.
0
 

Author Closing Comment

by:memo12345678
ID: 36540916
thank to all
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36544434
@ArneLovius  -- Thanks for the suggestion.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question