Re: For overload many to one NAT translation, what is the maximum concurrent NAT connections?

getaway51 · ‎04-05-2019

Hi,

If i nat from inside to outside using dynamic port address translation(many to one), how many concurrent connections that it supports? Can i say 65536? Based on number of ports (0 to 65535) since there is only one IP address here for translation.

paul driver · ‎04-05-2019

Hello

@getaway51 wrote:

Hi,

If i nat from inside to outside using dynamic port address translation(many to one), how many concurrent connections that it supports? Can i say 65536? Based on number of ports (0 to 65535) since there is only one IP address here for translation.

Correct -

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

getaway51 · ‎01-12-2020

Hi,

Can I say tht concurrent 65K connections is not many, could be insufficient since there were too many outgoing connections to the Internet?

If one IP used as source for internet using NAT equals to 65K, 2 public IP equals 65K X 2 connections?

I asking this is because in an organization, it could be few thousand employees, each has ard 10-100+ tcp/udp connections to Internet usually. Therefore is one public IP for outgoing NAT enough?

Deepak Kumar · ‎04-05-2019

Hi,

As per my knowledge, most devices will start the source port between1024 to 65535. But it is not always true.

As per RFC 2663:

For the reminder of this document, we will refer TCP/UDP ports associated with an IP address simply as "TU ports". For most TCP/IP hosts, TU port range 0-1023 is used by servers listening for incoming connections. Clients trying to initiate a connection typically select a source TU port in the range of 1024-65535. However, this convention is not universal and not always followed. Some client stations initiate connections using a source TU port number in the range of 0-1023, and there are servers listening. on TU port numbers in the range of 1024-65535.

https://tools.ietf.org/html/rfc2663

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

luis_cordova · ‎04-05-2019

Hi @getaway51 ,

Review what this Cisco guide says:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_dynamic.html

Information About PAT

PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used.

Each connection requires a separate translation because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.

After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable. Users on the destination network cannot reliably initiate a connection to a host that uses PAT (even if the connection is allowed by an access list).

Regards

Georg Pauwen · ‎01-12-2020

Hello,

on a side note, the only real limit for the number of NAT entries your device can accomodate is the amount of DRAM. 10,000 entries use up about 3MB of DRAM, so most devices can handle much more than 65535 entries.

If you want to, you can limit the amount of entries with the global command:

ip nat translation max-entries <1-2147483647>