Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
0
Helpful
3
Replies

Too Many NAT Statements?

Go to solution
Justin Lenhart
Level 1
Level 1

‎09-10-2012 08:13 AM - last edited on ‎03-25-2019 05:49 PM by Community Manager

Is there a cisco best practice on the maximum number of NAT statements on a Cisco ASA? We have a 5520 and a coworker is adding static NAT policies so a vendor can monitor around 1,029 nodes. The problem is each node inside is a 10.X.X.X and to keep the IPs from overlapping with other customers the vendor monitors they would like us to NAT to a 172.16.X.X scheme.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gurpsin2
Level 1
Level 1

‎09-10-2012 08:37 AM

Hi Justin,

You can create 2147483647 translation on ASA, which is sufficient for your network setup, however the limit applies to number of ACL's that you can apply and it is platform dependent.

Notice that  xlate consumes memory of ASA, so depending upon the RAM available, you could create xlates. Ideally, 256 Bytes are taken per xlate. So, for example, if you have 512 MB on ASA, you could create 262144 xlates.

let me know if you have any questions.

Regards

Gurpreet

View solution in original post

0 Helpful
3 Replies 3

Go to solution
gurpsin2
Level 1
Level 1

‎09-10-2012 08:37 AM

Hi Justin,

You can create 2147483647 translation on ASA, which is sufficient for your network setup, however the limit applies to number of ACL's that you can apply and it is platform dependent.

Notice that  xlate consumes memory of ASA, so depending upon the RAM available, you could create xlates. Ideally, 256 Bytes are taken per xlate. So, for example, if you have 512 MB on ASA, you could create 262144 xlates.

let me know if you have any questions.

Regards

Gurpreet

0 Helpful

Go to solution
Justin Lenhart
Level 1
Level 1

‎09-10-2012 10:56 AM

Perfect. Thank you!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Justin Lenhart

‎09-10-2012 11:49 PM

Hi,

If you are configuring a setup with a L2L VPN between you and the vendor for example and you need to NAT your LAN IP addresses to another private IP range you dont necesarily have to do NAT statements for every single device.

Lets say you only had a /24 network full of nodes that need to be monitored, you could for example just NAT 10.10.10.0/24 to for example 172.30.50.0/24

This would mean that 10.10.10.1 would translate to 172.30.50.1. IP address 10.10.10.2 would translate to 172.30.50.2 and so on.

From your original post I got the impression that you were going to do a Static NAT command for each of the host when possibly the same could be achieved with a single NAT command.

The format of the NAT commands ofcourse depends on what software you are running on the ASA (software 8.2 and before OR 8.3 and after)

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card