to NAT pool or not

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

to NAT pool or not

L0 Member

Hi all,

We have a brand new 2050 that is going to be used to support a school district with about 5000 students.... so we expect, eventually,  to have about 5000 to 6000 hosts going out to the internet. And we have access to a full class C public block.

The question that I have is: should we set this PA2050 to use a NAT pool or would setting it as "one-to-many" (where I would use only one public IP number for all my outgoing traffic) will be enough.

I would think that a pool makes more sense since it would eliminate the risk of having large amounts of traffic coming from the same IP number and therefore been tagged as spam.... but why would that matter if there would be 64K session  coming from the same IP  (Dynamic IP/Pool) before the next available IP gets used? Any feedback will be appreciated.

7 REPLIES 7

L3 Networker

Hello Marsan

Best practice is using NAT with Many to One, and as long as you use threat prevention to protect your incoming/outgoing traffic that will help as well.

If you have any other questions please do let us know.

Al

Palo Alto Networks Guru

To add to that, the PA-2050 supports oversubscription of ports when using dynamic IP and port network address translation.  If your traffic is going to diverse destinations, the source port may be used twice.  So in your situation, you can support over 120,000 sessions on a single public IP.  This has the obvious advantage that you can support more sessions than would be supported by the number of IPs/ports you have in your NAT pool.

Example:

User A connects to Google.com

User B connects to Yahoo.com

Since the traffic is destined to different locations, the source port may be used for both (in the case that all of your ports are occupied by NAT traffic).  So the first flow, User A > Google.com, may be from public IP 1.1.1.1 and port 23001 and the second flow, User B > Yahoo.com, may also be from public IP 1.1.1.1 and port 23001.  The firewall can properly route the traffic to the correct host because it has a mapping between the destination and the original source address and port.

I hope this helps!

Nick Campagna

Hello ncampagna,

I have helpful assistance by your comment.

Thanks a million.

I have more question.

What available number of same source port does FW have at different destination address???

Thanks.

An Nyeonghaseyo

Ga jang nim

Even though connect different dst address It will be used Source port about 64K

I wish You recommend me Like 乃

Palo Alto Networks Guru

Hi Cheon,

You can find the total number on each platform's specsheet. For example, the PA-5060 can reuse each available source port up to 8 times (this is called DIPP oversubscription on the specsheet). Since the available port range is roughly 1k-64k, it can use 63k source ports, with each creating up to 8 sessions if they're destined to different hosts.

Thanks,

Nick

while it set Many to one Public IP Address(PAT)
When Trust Private IP Address(192.168.0.1 - 192.168.255.254) try to connect Untrust same dst ip address or diffrent dst ip address

eventually Trust Private IP Address area have to use sharing source port within(64K).

is it right?

Hi,

No, it will be one port per private IP (whatever the destination same or not).

Rgds

V;

  • 5105 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!