08-25-2012 05:00 AM - edited 03-11-2019 04:46 PM
08-25-2012 06:22 AM
Hi Bro
The Firewall, when translating for NAT overload (or PAT), splits the available ports into three pools:
Low: 0-511
Mid: 512-1023
High: 1024-65535
When the Firewall initially starts to perform port translation, it begins with the lowest port number in each pool. This means the first packet sourced internally from a high port will be sent to the Internet could with a new source port of 1024. The next high port translation will go out with a source port of 1025, so on and so forth.
Here's a link to a Cisco document where you can find more about this;
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#qa13
P/S: If you think this comment is useful, please do rate it nicely :-)
08-25-2012 06:27 AM
Hi Manoharan,
Your questions is bit intresting and tough one to answer.
Typically for the dynamic NAT If you use access-list then 65535 is the limit. If other case of dynamic NAT is having the limit which is of huge range like 21474836478 is the limit where you can create nat and global commands.
When it comes for static NAT i guess that also has the same limit as such 65535.
Lets see what other experts say for this query.
Please do rate if the given information helps.
By
Karthik
02-20-2017 10:33 PM
Better late than never ;)
There is document http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/nat-rules.html#40794 saying that
-- Extended PAT—The extended keyword enables extended PAT. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80.
So maximum number of NAT (in my exmaple PAT) translations depends on available memory, CPU speed and actual configuration of the ASA. In other words, there is no 65535 maximum.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide