cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
362
Views
0
Helpful
5
Replies
Highlighted
Participant

For overload many to one NAT translation, what is the maximum concurrent NAT connections?

Hi,

 

If i nat from inside to outside using dynamic port address translation(many to one), how many concurrent connections that it supports? Can i say 65536? Based on number of ports (0 to 65535) since there is only one IP address here for translation. 

5 REPLIES 5
Highlighted
VIP Mentor

Re: For overload many to one NAT translation, what is the maximum concurrent NAT connections?

Hello


@getaway51 wrote:

Hi,

 

If i nat from inside to outside using dynamic port address translation(many to one), how many concurrent connections that it supports? Can i say 65536? Based on number of ports (0 to 65535) since there is only one IP address here for translation. 


Correct -



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Participant

Re: For overload many to one NAT translation, what is the maximum concurrent NAT connections?

Hi,

Can I say tht concurrent 65K connections is not many, could be insufficient since there were too many outgoing connections to the Internet?

If one IP used as source for internet using NAT equals to 65K, 2 public IP equals 65K X 2 connections?

I asking this is because in an organization, it could be few thousand employees, each has ard 10-100+ tcp/udp connections to Internet usually. Therefore is one public IP for outgoing NAT enough? 

 

Highlighted
VIP Advocate

Re: For overload many to one NAT translation, what is the maximum concurrent NAT connections?

Hi,

As per my knowledge, most devices will start the source port between1024 to 65535. But it is not always true. 

 

As per RFC 2663:

 

For the reminder of this document, we will refer TCP/UDP ports associated with an IP address simply as "TU ports". For most TCP/IP hosts, TU port range 0-1023 is used by servers listening for incoming connections. Clients trying to initiate a connection typically select a source TU port in the range of 1024-65535. However, this convention is not universal and not always followed. Some client stations initiate connections using a source TU port number in the range of 0-1023, and there are servers listening. on TU port numbers in the range of 1024-65535.

 

https://tools.ietf.org/html/rfc2663

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!
Highlighted
VIP Advisor

Re: For overload many to one NAT translation, what is the maximum concurrent NAT connections?

Hi @getaway51 ,

 

Review what this Cisco guide says:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_dynamic.html

 

Information About PAT

 

PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used.

 

Each connection requires a separate translation because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.

 

After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable. Users on the destination network cannot reliably initiate a connection to a host that uses PAT (even if the connection is allowed by an access list).

 

Regards

Highlighted
VIP Mentor

Re: For overload many to one NAT translation, what is the maximum concurrent NAT connections?

Hello,

 

on a side note, the only real limit for the number of NAT entries your device can accomodate is the amount of DRAM. 10,000 entries use up about 3MB of DRAM, so most devices can handle much more than 65535 entries.

 

If you want to, you can limit the amount of entries with the global command:

 

ip nat translation max-entries <1-2147483647>