topic Re: to NAT pool or not in General Topics

to NAT pool or not

marsan — Mon, 02 Aug 2010 21:36:46 GMT

Hi all,

We have a brand new 2050 that is going to be used to support a school district with about 5000 students.... so we expect, eventually, to have about 5000 to 6000 hosts going out to the internet. And we have access to a full class C public block.

The question that I have is: should we set this PA2050 to use a NAT pool or would setting it as "one-to-many" (where I would use only one public IP number for all my outgoing traffic) will be enough.

I would think that a pool makes more sense since it would eliminate the risk of having large amounts of traffic coming from the same IP number and therefore been tagged as spam.... but why would that matter if there would be 64K session coming from the same IP (Dynamic IP/Pool) before the next available IP gets used? Any feedback will be appreciated.

Re: to NAT pool or not

acamacho — Mon, 02 Aug 2010 22:05:54 GMT

Hello Marsan

Best practice is using NAT with Many to One, and as long as you use threat prevention to protect your incoming/outgoing traffic that will help as well.

If you have any other questions please do let us know.

Re: to NAT pool or not

ncampagna — Tue, 10 Aug 2010 14:53:56 GMT

To add to that, the PA-2050 supports oversubscription of ports when using dynamic IP and port network address translation. If your traffic is going to diverse destinations, the source port may be used twice. So in your situation, you can support over 120,000 sessions on a single public IP. This has the obvious advantage that you can support more sessions than would be supported by the number of IPs/ports you have in your NAT pool.

Example:

User A connects to Google.com

User B connects to Yahoo.com

Since the traffic is destined to different locations, the source port may be used for both (in the case that all of your ports are occupied by NAT traffic). So the first flow, User A > Google.com, may be from public IP 1.1.1.1 and port 23001 and the second flow, User B > Yahoo.com, may also be from public IP 1.1.1.1 and port 23001. The firewall can properly route the traffic to the correct host because it has a mapping between the destination and the original source address and port.

I hope this helps!

Nick Campagna

Re: to NAT pool or not

KiCheon.Lee — Mon, 27 May 2013 04:54:29 GMT

Hello ncampagna,

I have helpful assistance by your comment.

Thanks a million.

I have more question.

What available number of same source port does FW have at different destination address???

Thanks.

Re: to NAT pool or not

SilverTiger — Mon, 27 May 2013 12:00:23 GMT

An Nyeonghaseyo

Ga jang nim

Even though connect different dst address It will be used Source port about 64K

I wish You recommend me Like 乃

Re: to NAT pool or not

ncampagna — Tue, 28 May 2013 13:24:22 GMT

Hi Cheon,

You can find the total number on each platform's specsheet. For example, the PA-5060 can reuse each available source port up to 8 times (this is called DIPP oversubscription on the specsheet). Since the available port range is roughly 1k-64k, it can use 63k source ports, with each creating up to 8 sessions if they're destined to different hosts.

Thanks,

Nick

Re: to NAT pool or not

SilverTiger — Tue, 28 May 2013 15:07:43 GMT

while it set Many to one Public IP Address(PAT)
When Trust Private IP Address(192.168.0.1 - 192.168.255.254) try to connect Untrust same dst ip address or diffrent dst ip address

eventually Trust Private IP Address area have to use sharing source port within(64K).

is it right?

Re: to NAT pool or not

VinceM — Tue, 28 May 2013 15:11:33 GMT

Hi,

No, it will be one port per private IP (whatever the destination same or not).

Rgds