The Firewall, when translating for NAT overload (or PAT), splits the available ports into three pools:
When the Firewall initially starts to perform port translation, it begins with the lowest port number in each pool. This means the first packet sourced internally from a high port will be sent to the Internet could with a new source port of 1024. The next high port translation will go out with a source port of 1025, so on and so forth.
Here's a link to a Cisco document where you can find more about this;
Your questions is bit intresting and tough one to answer.
Typically for the dynamic NAT If you use access-list then 65535 is the limit. If other case of dynamic NAT is having the limit which is of huge range like 21474836478 is the limit where you can create nat and global commands.
When it comes for static NAT i guess that also has the same limit as such 65535.
There is document http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/nat-rules.html#40794 saying that
-- Extended PAT—The extended keyword enables extended PAT. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80.
So maximum number of NAT (in my exmaple PAT) translations depends on available memory, CPU speed and actual configuration of the ASA. In other words, there is no 65535 maximum.
Listen: https://smarturl.it/CCRS8E47 Follow us: twitter.com/ciscochampions
Ransomware, fileless malware, and zero-day attacks continue to target organizations around the world. In response, organizations have resorted to deploying a variety of d...
This is a general information page for Cisco Threat Centric (TC-NAC) with ISE
Threat Centric Network Access Control (TC-NAC) feature enables you to create authorization policies based on the threat and vulnerability attributes received from the th...
The 2021 IT Blog Awards, hosted by Cisco, is now open for submissions. Submit your blog, vlog or podcast today. For more information, including category details, the process, past winners and FAQs, check out: https://www.cisco.com/c/en/us/t...
Cisco Secure Endpoint (formerly AMP for Endpoints) will decommission legacy cloud servers, which results in Legacy Windows Connector Versions 3.x/4.x and Mac Connector Version 1.0.x ceasing to ...
IntroductionRequirementsWhat problem does CSDAC solve?CSDAC ComponentsConfiguration CSDAC Login Connector AdaptersCSDAC WorkflowFMC Policy Configuration with Dynamic ObjectsUse Case: Blocking IP address using dynamic object without a policy push