cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1271
Views
15
Helpful
9
Replies

Selecting a NAT device

network_user
Level 1
Level 1

Hello,

I have a network of around 5000 users out of which around 1000 users max are active at any given time. Currently they are assigned public IP addresses. I need to assign them private IPs and NAT them when they go out to the internet. I have a foundry 4802 in the network, but I am not sure if this device can take the load of Natting these many users. Does anyone have any idea about this? If not what should be the best device to handle this load and possible expansion. Also, what NAT design would be good? Since 1000 users are active at peak time, should I do PAT or Dynamic NAT?

Thank you.

2 Accepted Solutions

Accepted Solutions

lcaruso
Level 6
Level 6

Although the switch you mention was an enterprise class device when it was introduced around 2001, it is an older device and the company appears to have been bought out (disclaimer: my comment about your switch is based on one minute of research), so unless avoiding any new expense is the only consideration, even if this device could provide adequate security along with NAT, you should consider a new Cisco ASA for your needs.

I’ll let the experts comment on which model, but I’m guessing a ASA 5510 would meet your performance and security needs nicely with room to grow.

Among other things, NAT is an address depletion solution. Not all designs, especially those with an abundance of available public addresses, require hiding addresses, or at least that’s what I’ve read in the Cisco Press ASA book.

View solution in original post

Please kindly be advised that PIX515 has been EOLed since 2002:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notice09186a008032d3b4.html

and the replacement chassis for PIX515, ie: PIX515E has also been EOLed:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notice0900aecd8073fa36.html

I would suggest that you look into getting ASA firewalls, and here is the diffferent model comparison for your reference:

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

Hope that helps.

View solution in original post

9 Replies 9

lcaruso
Level 6
Level 6

Although the switch you mention was an enterprise class device when it was introduced around 2001, it is an older device and the company appears to have been bought out (disclaimer: my comment about your switch is based on one minute of research), so unless avoiding any new expense is the only consideration, even if this device could provide adequate security along with NAT, you should consider a new Cisco ASA for your needs.

I’ll let the experts comment on which model, but I’m guessing a ASA 5510 would meet your performance and security needs nicely with room to grow.

Among other things, NAT is an address depletion solution. Not all designs, especially those with an abundance of available public addresses, require hiding addresses, or at least that’s what I’ve read in the Cisco Press ASA book.

Thanks for the response Icaruso.

I also might have a PIX 515 (64MB RAM) in spare with me. Would that also be good for the work and leave room for more?

Sorry I cannot speak to that. But hopefully someone familiar with that PIX model can answer your question.

Please kindly be advised that PIX515 has been EOLed since 2002:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notice09186a008032d3b4.html

and the replacement chassis for PIX515, ie: PIX515E has also been EOLed:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notice0900aecd8073fa36.html

I would suggest that you look into getting ASA firewalls, and here is the diffferent model comparison for your reference:

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

Hope that helps.

Thanks Jennifer for all the informational links. However I do have an unused PIX 515 with me, is it advisable to use it, or should I be concerned using a device which has been EOLed?

The only concern would be you will be using an old version of software, and you will have no support from Cisco TAC anymore if there is any failure with the PIX firewall. Since it will be passing traffic for 5000 users, I will be concern if it does break. And with any computing/electronic devices, you never know when it could break.

None of my business, of course, but with an organization of 5,000 users, one would hope they could allocate resources for a new firewall. I would put some efforts into educating the decision makers about the technology arena, where unfortunately, devices that are several years old are usually inadequate in terms of performance, management, and supportability.

Thanks for guiding me on this Jennifer and Icaruso.

Make sure you get more input from a Cisco represenative for which ASA model best fits your requirements. I was only guessing about the 5510.

1,000 simultaneous connections is a hefty load, so you'll want to get the ASA platform selection correctly sized and you'll want some decent bandwidth to the Internet.

What kind of connection do you or will you have to the Internet?

Review Cisco Networking for a $25 gift card