Solved

NAT capacity

Posted on 2011-09-03
10
388 Views
Last Modified: 2012-08-13
Dear ,

      I have ASA5580 Firewall , i want ask how many private IP's can access out site by one  public IP with out decrease performance of ASA (delay , load in CPU .. etc ) .

Idea i have 20000 user's how mach  Public IP i sue for NAT  ,  with out happen load in CPU of ASA and have High performance   , please give ur recommend  ...
0
Comment
Question by:memo12345678
  • 4
  • 4
  • 2
10 Comments
 
LVL 18

Expert Comment

by:jmeggers
Comment Utility
The 5580 can handle a lot but for NAT to a single address you're inherently limited by the 65535 ports. The 5580 can handle 2 million concurrent connections so 20,000 NATs shouldn't be a problem.
0
 

Author Comment

by:memo12345678
Comment Utility
so mean if I make all my current 20,000 user's go by single IP (PAT )  doesn't effect in performance and delay of request !!
0
 

Author Comment

by:memo12345678
Comment Utility
so mean if I make all my current 20,000 user's go by single IP (PAT )  doesn't effect in performance and delay of request !!
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 167 total points
Comment Utility
I can't tell you specifically that there will be no impact, I've never done that many concurrent PATs. I'm really trying to draw a conclusion based on other performance metrics, and I'm just saying I wouldn't expect there to be any significant impact based on total concurrent connections the box is capable of handling (2,000,000).
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 333 total points
Comment Utility
as each connection (not internal host) will use a new NAT table entry, if the traffic for 20k users is going through a single address, it would be fine if each user just had a single SSH session, but not if they were browsing the internet.

While browsing the "modern" internet, each user should have the available capacity to have at least 100 sessions open, for 20k users that would be 2m session, which divided by 64k is 31.5, so I would allocate 33 addresses in your NAT pool.

If you used an internal proxy server, this could be significantly reduced.


0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:memo12345678
Comment Utility
thx alot for these info
0
 
LVL 18

Expert Comment

by:jmeggers
Comment Utility
@ArneLovius:
I agree that multiple sessions will result in multiple translations.  But I've never seen a configuration where multiple addresses are used for PAT in a single nat / global group configuration.  In IOS, you can specify a range of addresses, then add the "overload" key word, but I don't believe this option is available in the ASA; if you specify a single address, overload (PAT) is assumed.

The only option I can think of for the ASA is multiple NAT configurations where blocks of internal addresses are PATed to a single external address, and this is repeated. As you point out, you'd need 33 outside addresses, although if this approach was taken it would probably be easier to do it based on /23 blocks, in which case 40 NAT configurations would be required.  

Is there another way you'd approach this, or is this what you had in mind?
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 333 total points
Comment Utility
@jmeggers first create a NAT pool, then use the pool for dynamic NAT, if you have multiple internal subnets, you can use policy based dynamic NAT to subdivide it further.
0
 

Author Closing Comment

by:memo12345678
Comment Utility
thank to all
0
 
LVL 18

Expert Comment

by:jmeggers
Comment Utility
@ArneLovius  -- Thanks for the suggestion.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now