Re: ASA: 500+ NAT addresses possible on a 5505, 5510? what are t

pweichmann · ‎01-17-2011

Hi,

We need to do more than 500 single IP to IP NAT and wonder if there is a limit on the ASA platform or if they can do it?

Federico Coto Fajardo · ‎01-17-2011

Hi,

I don't think there's a hardcode limit, it's limited by memory and CPU.

Just a thought... instead of doing more than 500 single IP to IP NAT, you can create a static NAT for a subnet.

For example:

Instead of doing:

static (in,out) 1.1.1.1 10.1.1.1

static (in,out) 1.1.1.2 10.1.1.2

.

static (in,out) 1.1.1.254 10.1.1.254

You can do:

static (in,out) 1.1.1.0 10.1.1.0 netmask 255.255.255.0

Obviously this will work if you can somehow group the IPs that you want to NAT in subnets.

Federico.

pweichmann · ‎01-17-2011

The issue is that we have over 500 devices in about 400x networks that each have to have

an other ip and it must be one to one.

If I'm lucky maybe I can do it with a subnet but most probably there will be some assignements that don't fit. Otherwise it should work and we will need to route them internally with /26 or /27 and later with /32 anyway.

Nagaraja Thanthry · ‎01-17-2011

Hello,

Except memory issues, I don't think you will face any other problems when you configure so many one-to-one NAT rules. Make sure that your ASA has the maximum memory possible for the hardware and up-stream device is blocking any unwanted traffic i.e. any kind of DOS attacks towards the servers/firewall. Other thing that you need to be aware of is your configuration will be too large to manage.

Hope this helps.

Regards,

NT

Collin Clark · ‎01-17-2011

Your limitation will be memory. If you're going to have 500+ translations you will need more than the base memory in the 5505 and 5510.

ASA: 500+ NAT addresses possible on a 5505, 5510? what are the limits?