Re: PAT vs. NAT on the PIX

doxford · ‎11-19-2001

I'm installing a firewall for a WISP and am trying to find a list of limitations of using PAT on the PIX525. The safe decision is NAT however, many public IP's are needed. If I choose PAT, how am I limiting Internet access?

ontrack · ‎11-20-2001

The PIX can handle up to 64000 PAT connections, but in the real world you don't wont to PAT for more than about 4,000 - 5,000 connections. You can get very creative with this though. You can have multiple PAT pools and have each pool serve a single subnet on the inside. Or you can have a pool of NAT address to use and have the last address of the pool be a PAT.

shaneroach · ‎11-26-2001

Ontrack,

I am interested in learning more about the robustness of PAT. You say in real-world circumstances, no more than 4k-5k connections are desired in a PAT configuration. I presume this is per IP?

I am not an engineer, so please forgive my ignorance! I am an interested party in the use of PAT in a service environment.

My perception is that 4k-5k PAT connections for a single IP must see much more latency than a pool of IPs administered by dynamic NAT? Is this true, or is the inherent latency negligible?

Any insight you can lend is greatly appreciated.

jwitherell · ‎11-27-2001

The one thing I recall when we moved from NAT to PAT was a notice saying that certain multimedia applications, mainly in the streaming video category, had problems with PAT. In our environment, that wasn't too big a deal, and I have not heard any complaints to date. In an ISP environment, you may have more requirements in this area, though. If you search Cisco's website for PAT tips, I think you could find the exact tip somewhere in there.