Solved: NAT Vs PAT

haithamnofal · ‎12-31-2006

Hi All,

I have one quick question about NAT config in ASA; I have done a configuration like this:

nat (inside) 1 0 0

global (outside) 1 x.x.x.6-x.x.x.9

But this configuration has caused me problems when more than 4 users was trying to connect at the same time. So, I had to PAT one IP of them as follows to make that work:

global (outside) 1 x.x.x.9

I was thinking that when doing NATing, as I was doing in the 1st place, PATing also will be taken care of if the NAT pool was not enough.

1- Can you please confirm to me how will NAT work then and whether each user will only get one IP only from the NAT pool or whether PATing will happen as well?

2- Also, what is the maximum number of users that 1 PAT IP can handle, and is it the # of users that is PATed or the # of connections?

Thanks,

Haitham

dstalls · ‎12-31-2006

Yup, you got it.

View solution in original post

dstalls · ‎12-31-2006

If you have two statements, one that lists a range of IPs, and one that lists just one IP, then the default will be for ASA to give out dedicated IPs for each client it can to fill up the IP range. Then once there are no more IPs available, it will start to PAT every subsequent inside host that needs to be NATed.

The number of connections one IP can support when using PAT, is roughly 65,500. It is based on the number of connections, not the number of IPs on the inside.

Cheers

haithamnofal · ‎12-31-2006

Thanks.. so, I understand from you that when configuring the following command:

global (outside) 1 x.x.x.6-x.x.x.8

that 3 hosts will only be allowed to initiate connections through the ASA? No PATing will take place when applying this command without the "global (outside) 1 x.x.x.9" command?

Regards,

Haitham

dstalls · ‎12-31-2006

Yup, you got it.