We have a brand new 2050 that is going to be used to support a school district with about 5000 students.... so we expect, eventually, to have about 5000 to 6000 hosts going out to the internet. And we have access to a full class C public block.
The question that I have is: should we set this PA2050 to use a NAT pool or would setting it as "one-to-many" (where I would use only one public IP number for all my outgoing traffic) will be enough.
I would think that a pool makes more sense since it would eliminate the risk of having large amounts of traffic coming from the same IP number and therefore been tagged as spam.... but why would that matter if there would be 64K session coming from the same IP (Dynamic IP/Pool) before the next available IP gets used? Any feedback will be appreciated.
Best practice is using NAT with Many to One, and as long as you use threat prevention to protect your incoming/outgoing traffic that will help as well.
If you have any other questions please do let us know.
To add to that, the PA-2050 supports oversubscription of ports when using dynamic IP and port network address translation. If your traffic is going to diverse destinations, the source port may be used twice. So in your situation, you can support over 120,000 sessions on a single public IP. This has the obvious advantage that you can support more sessions than would be supported by the number of IPs/ports you have in your NAT pool.
User A connects to Google.com
User B connects to Yahoo.com
Since the traffic is destined to different locations, the source port may be used for both (in the case that all of your ports are occupied by NAT traffic). So the first flow, User A > Google.com, may be from public IP 126.96.36.199 and port 23001 and the second flow, User B > Yahoo.com, may also be from public IP 188.8.131.52 and port 23001. The firewall can properly route the traffic to the correct host because it has a mapping between the destination and the original source address and port.
I hope this helps!
I have helpful assistance by your comment.
Thanks a million.
I have more question.
What available number of same source port does FW have at different destination address???
You can find the total number on each platform's specsheet. For example, the PA-5060 can reuse each available source port up to 8 times (this is called DIPP oversubscription on the specsheet). Since the available port range is roughly 1k-64k, it can use 63k source ports, with each creating up to 8 sessions if they're destined to different hosts.
while it set Many to one Public IP Address(PAT)
When Trust Private IP Address(192.168.0.1 - 192.168.255.254) try to connect Untrust same dst ip address or diffrent dst ip address
eventually Trust Private IP Address area have to use sharing source port within(64K).
is it right?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!