Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6609
Views
5
Helpful
3
Replies

Cisco ASA 5520 Nat translation Max

MANOHARAN MUDALIAR
Level 1
Level 1

‎08-25-2012 05:00 AM - edited ‎03-11-2019 04:46 PM

Hello,
I am going with ASA 5520, Can any 1 help me to know how many NAT translation is possible.
Labels:
0 Helpful
3 Replies 3

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎08-25-2012 06:22 AM

Hi Bro

The Firewall, when translating for NAT overload (or PAT), splits the available ports into three pools:

Low: 0-511

Mid: 512-1023

High: 1024-65535

When the Firewall initially starts to perform port translation, it begins with the lowest port number in each pool. This means the first packet sourced internally from a high port will be sent to the Internet could with a new source port of 1024. The next high port translation will go out with a source port of 1025, so on and so forth.

Here's a link to a Cisco document where you can find more about this;

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#qa13

P/S: If you think this comment is useful, please do rate it nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

nkarthikeyan
Level 7
Level 7

‎08-25-2012 06:27 AM

Hi Manoharan,

Your questions is bit intresting and tough one to answer.

Typically for the dynamic NAT If you use access-list then 65535 is the limit. If other case of dynamic NAT is having the limit which is of huge range like 21474836478 is the limit where you can create nat and global commands.

When it comes for static NAT i guess that also has the same limit as such 65535.

Lets see what other experts say for this query.

Please do rate if the given information helps.

By

Karthik

0 Helpful

dukenuk96
Level 3
Level 3

‎02-20-2017 10:33 PM

Better late than never ;)

There is document http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/nat-rules.html#40794 saying that 

-- Extended PAT—The extended keyword enables extended PAT. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80.

So maximum number of NAT (in my exmaple PAT) translations depends on available memory, CPU speed and actual configuration of the ASA. In other words, there is no 65535 maximum.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card