01-05-2011 08:50 AM - edited 03-11-2019 12:30 PM
Hello,
I have a network of around 5000 users out of which around 1000 users max are active at any given time. Currently they are assigned public IP addresses. I need to assign them private IPs and NAT them when they go out to the internet. I have a foundry 4802 in the network, but I am not sure if this device can take the load of Natting these many users. Does anyone have any idea about this? If not what should be the best device to handle this load and possible expansion. Also, what NAT design would be good? Since 1000 users are active at peak time, should I do PAT or Dynamic NAT?
Thank you.
Solved! Go to Solution.
01-05-2011 10:24 AM
Although the switch you mention was an enterprise class device when it was introduced around 2001, it is an older device and the company appears to have been bought out (disclaimer: my comment about your switch is based on one minute of research), so unless avoiding any new expense is the only consideration, even if this device could provide adequate security along with NAT, you should consider a new Cisco ASA for your needs.
I’ll let the experts comment on which model, but I’m guessing a ASA 5510 would meet your performance and security needs nicely with room to grow.
Among other things, NAT is an address depletion solution. Not all designs, especially those with an abundance of available public addresses, require hiding addresses, or at least that’s what I’ve read in the Cisco Press ASA book.
01-05-2011 03:35 PM
Please kindly be advised that PIX515 has been EOLed since 2002:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notice09186a008032d3b4.html
and the replacement chassis for PIX515, ie: PIX515E has also been EOLed:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notice0900aecd8073fa36.html
I would suggest that you look into getting ASA firewalls, and here is the diffferent model comparison for your reference:
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range
Hope that helps.
01-05-2011 10:24 AM
Although the switch you mention was an enterprise class device when it was introduced around 2001, it is an older device and the company appears to have been bought out (disclaimer: my comment about your switch is based on one minute of research), so unless avoiding any new expense is the only consideration, even if this device could provide adequate security along with NAT, you should consider a new Cisco ASA for your needs.
I’ll let the experts comment on which model, but I’m guessing a ASA 5510 would meet your performance and security needs nicely with room to grow.
Among other things, NAT is an address depletion solution. Not all designs, especially those with an abundance of available public addresses, require hiding addresses, or at least that’s what I’ve read in the Cisco Press ASA book.
01-05-2011 12:28 PM
Thanks for the response Icaruso.
I also might have a PIX 515 (64MB RAM) in spare with me. Would that also be good for the work and leave room for more?
01-05-2011 12:32 PM
Sorry I cannot speak to that. But hopefully someone familiar with that PIX model can answer your question.
01-05-2011 03:35 PM
Please kindly be advised that PIX515 has been EOLed since 2002:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notice09186a008032d3b4.html
and the replacement chassis for PIX515, ie: PIX515E has also been EOLed:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notice0900aecd8073fa36.html
I would suggest that you look into getting ASA firewalls, and here is the diffferent model comparison for your reference:
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range
Hope that helps.
01-05-2011 03:52 PM
Thanks Jennifer for all the informational links. However I do have an unused PIX 515 with me, is it advisable to use it, or should I be concerned using a device which has been EOLed?
01-05-2011 03:57 PM
The only concern would be you will be using an old version of software, and you will have no support from Cisco TAC anymore if there is any failure with the PIX firewall. Since it will be passing traffic for 5000 users, I will be concern if it does break. And with any computing/electronic devices, you never know when it could break.
01-05-2011 08:10 PM
None of my business, of course, but with an organization of 5,000 users, one would hope they could allocate resources for a new firewall. I would put some efforts into educating the decision makers about the technology arena, where unfortunately, devices that are several years old are usually inadequate in terms of performance, management, and supportability.
01-06-2011 08:32 AM
Thanks for guiding me on this Jennifer and Icaruso.
01-06-2011 10:42 AM
Make sure you get more input from a Cisco represenative for which ASA model best fits your requirements. I was only guessing about the 5510.
1,000 simultaneous connections is a hefty load, so you'll want to get the ASA platform selection correctly sized and you'll want some decent bandwidth to the Internet.
What kind of connection do you or will you have to the Internet?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide