04-05-2019 04:03 AM
Hi,
If i nat from inside to outside using dynamic port address translation(many to one), how many concurrent connections that it supports? Can i say 65536? Based on number of ports (0 to 65535) since there is only one IP address here for translation.
04-05-2019 04:07 AM
Hello
@getaway51 wrote:
Hi,
If i nat from inside to outside using dynamic port address translation(many to one), how many concurrent connections that it supports? Can i say 65536? Based on number of ports (0 to 65535) since there is only one IP address here for translation.
Correct -
01-12-2020 06:44 PM
Hi,
Can I say tht concurrent 65K connections is not many, could be insufficient since there were too many outgoing connections to the Internet?
If one IP used as source for internet using NAT equals to 65K, 2 public IP equals 65K X 2 connections?
I asking this is because in an organization, it could be few thousand employees, each has ard 10-100+ tcp/udp connections to Internet usually. Therefore is one public IP for outgoing NAT enough?
04-05-2019 04:53 AM - edited 04-05-2019 04:54 AM
Hi,
As per my knowledge, most devices will start the source port between1024 to 65535. But it is not always true.
As per RFC 2663:
For the reminder of this document, we will refer TCP/UDP ports associated with an IP address simply as "TU ports". For most TCP/IP hosts, TU port range 0-1023 is used by servers listening for incoming connections. Clients trying to initiate a connection typically select a source TU port in the range of 1024-65535. However, this convention is not universal and not always followed. Some client stations initiate connections using a source TU port number in the range of 0-1023, and there are servers listening. on TU port numbers in the range of 1024-65535.
https://tools.ietf.org/html/rfc2663
04-05-2019 05:20 AM
Hi @getaway51 ,
Review what this Cisco guide says:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_dynamic.html
PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used.
Each connection requires a separate translation because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable. Users on the destination network cannot reliably initiate a connection to a host that uses PAT (even if the connection is allowed by an access list).
Regards
01-12-2020 07:30 PM
Hello,
on a side note, the only real limit for the number of NAT entries your device can accomodate is the amount of DRAM. 10,000 entries use up about 3MB of DRAM, so most devices can handle much more than 65535 entries.
If you want to, you can limit the amount of entries with the global command:
ip nat translation max-entries <1-2147483647>
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: