Re: translation limit on pix/asa

suthomas1 · ‎08-20-2009

Hi,

Is there any limits on amount of translation that pix/asa can handle concurrently. Any commands to see this & for correcting it.

Thanks.

andrew.prince · ‎08-21-2009

65535 is the limit for translation slots, this of course refers to PAT and not static NAT.

The limit is set by the amount of TCP/UDP ports numbers available in the TCP/IP stack.

HTH>

hschaefers · ‎08-21-2009

Correct.

If you're reaching the theoretical limit of translations, you should be investing in more IP's for further translations.

Ports 1024+ is available of the 65535 for each IP you use.

However please note:

Depending on your ASA/PIX your unit may have lower limits on max translations based on its processor and memory capabilities.

jan.nielsen · ‎08-21-2009

Also, just a heads up if youre using ASA5505, you have a host license, which can be 10, 50 or unlimited users going through the asa at the same time.

rameshwar · ‎10-23-2009

Can you please tell me how me how many muximum ip address can be natted with single public ip address.

andrew.prince · ‎10-23-2009

1:1 NAT = 1

1:Many PAT = 65535

HTH>

rameshwar · ‎10-26-2009

Thnx Andrew,

Did you meen to say, i can nat 65535 IP addresses to one IP address?

andrew.prince · ‎10-26-2009

Not really!! with a 1:many - you will be using Port Address Tranlsation. You could have 1000 internal IP addresses and NAT them to 1 external IP address - and the ASA will have a PAT translation table with specific translation ports.

You could only have 1 internal IP and you could make 10,000 seperate outbound connections to the internet and the same priciple applies.

For every seperate outbound connection, the ASA creates 1 x PAT table entry. So that would be 65535-1 = 65534 left.

HTH>

rameshwar · ‎11-05-2009

Thnx adrew,

If you have any document on this then please share with me.

andrew.prince · ‎11-05-2009

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html