https://community.cisco.com/t5/network-security/too-many-nat-statements/m-p/2068858#M399567 <HTML><HEAD></HEAD><BODY><P>Hi Justin, </P><P></P><P>You can create 2147483647 translation on ASA, which is sufficient for your network setup, however the limit applies to number of ACL's that you can apply and it is platform dependent. </P><P>Notice that&nbsp; xlate consumes memory of ASA, so depending upon the RAM available, you could create xlates. Ideally, 256 Bytes are taken per xlate. So, for example, if you have 512 MB on ASA, you could create 262144 xlates. </P><P>let me know if you have any questions. </P><P></P><P>Regards</P><P>Gurpreet</P></BODY></HTML> Mon, 10 Sep 2012 15:37:29 GMT gurpsin2 2012-09-10T15:37:29Z https://community.cisco.com/t5/network-security/too-many-nat-statements/m-p/2068857#M399566 <P>Is there a cisco best practice on the maximum number of NAT statements on a Cisco ASA? We have a 5520 and a coworker is adding static NAT policies so a vendor can monitor around 1,029 nodes. The problem is each node inside is a 10.X.X.X and to keep the IPs from overlapping with other customers the vendor monitors they would like us to NAT to a 172.16.X.X scheme.</P> Tue, 26 Mar 2019 00:49:14 GMT https://community.cisco.com/t5/network-security/too-many-nat-statements/m-p/2068857#M399566 Justin Lenhart 2019-03-26T00:49:14Z https://community.cisco.com/t5/network-security/too-many-nat-statements/m-p/2068858#M399567 <HTML><HEAD></HEAD><BODY><P>Hi Justin, </P><P></P><P>You can create 2147483647 translation on ASA, which is sufficient for your network setup, however the limit applies to number of ACL's that you can apply and it is platform dependent. </P><P>Notice that&nbsp; xlate consumes memory of ASA, so depending upon the RAM available, you could create xlates. Ideally, 256 Bytes are taken per xlate. So, for example, if you have 512 MB on ASA, you could create 262144 xlates. </P><P>let me know if you have any questions. </P><P></P><P>Regards</P><P>Gurpreet</P></BODY></HTML> Mon, 10 Sep 2012 15:37:29 GMT https://community.cisco.com/t5/network-security/too-many-nat-statements/m-p/2068858#M399567 gurpsin2 2012-09-10T15:37:29Z https://community.cisco.com/t5/network-security/too-many-nat-statements/m-p/2068859#M399568 <HTML><HEAD></HEAD><BODY><P>Perfect. Thank you!</P></BODY></HTML> Mon, 10 Sep 2012 17:56:15 GMT https://community.cisco.com/t5/network-security/too-many-nat-statements/m-p/2068859#M399568 Justin Lenhart 2012-09-10T17:56:15Z https://community.cisco.com/t5/network-security/too-many-nat-statements/m-p/2068860#M399569 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you are configuring a setup with a L2L VPN between you and the vendor for example and you need to NAT your LAN IP addresses to another private IP range you dont necesarily have to do NAT statements for every single device.</P><P></P><P>Lets say you only had a /24 network full of nodes that need to be monitored, you could for example just NAT 10.10.10.0/24 to for example 172.30.50.0/24</P><P></P><P>This would mean that 10.10.10.1 would translate to 172.30.50.1. IP address 10.10.10.2 would translate to 172.30.50.2 and so on.</P><P></P><P>From your original post I got the impression that you were going to do a Static NAT command for each of the host when possibly the same could be achieved with a single NAT command.</P><P></P><P>The format of the NAT commands ofcourse depends on what software you are running on the ASA (software 8.2 and before OR 8.3 and after)</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 11 Sep 2012 06:49:56 GMT https://community.cisco.com/t5/network-security/too-many-nat-statements/m-p/2068860#M399569 Jouni Forss 2012-09-11T06:49:56Z