Re: [FW-1] NAT limitation on NG

[Widjaja Jimmi <jimmi.widjaja@FW1-NOSPAMSIEMENS.COM>]

Title: Message

If we want to use for about 400K internal Ip address to access internet.

that's mean we need for about 7 public ip address to accomodate those huge internal ip address pool

 

Does Checkpoint NG can be configured to use 7 public ip address on its external interface and do the Hide NAT for those 400K private IP?

 

I need an CP advice on this ....

 

regards

Jimmi Widjaja

 -----Original Message-----
From: Russell Washington [mailto:russ.washington@VAULTSENTRY.COM]
Sent: Thursday, June 06, 2002 12:12 AM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] NAT limitation on NG

I'm speaking from my general knowledge of NAT/PAT rather than anything Checkpoint-specific here, But theoretically, 64K is probably about the limit based on a scenario where each private IP has a single connection (i.e., port associated with the public address) to the outside world.  No more ports = no more talking.

 

Realistically, as a given private IP can open up several sessions at once and consume multiple ports from that public IP, the number is going to be much lower.  How much lower?  Don't know, but whatever it is it's traffic-dependent.

-----Original Message-----
From: Widjaja Jimmi [mailto:jimmi.widjaja@SIEMENS.COM]
Sent: Wednesday, June 05, 2002 2:49 AM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: [FW-1] NAT limitation on NG

Hi,
I have a question about NAT limitation in Checkpoint Firewall-1 NG FP1.
How many internal IP address can be NAT-ed to one public IPaddress simultanously using hiden NAT mode ?

Some source say that the limit is for about 64K connections per one public address.

I appreciate if somebody can give statement on this or share any experience for such configuration.

Regards,
Jimmi Widjaja