Re: [FW-1] NAT limitation on NG

[Russell Washington <russ.washington@FW1-NOSPAMVAULTSENTRY.COM>]

Title: Message

Hmmm.  I'd be interested to know how they implement that... is that statistic referring to hide NAT, static NAT, or both?  It makes some sense for static NAT but for hide NAT they'd have to do one heck of a smoke and mirrors job (in the code, that is) do pull it off, I think...

 

Would love to hear more on this subject.

-----Original Message-----
From: Lars Troen [mailto:Lars.Troen@PROXYCOM.NO]
Sent: Friday, June 07, 2002 5:25 AM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] NAT limitation on NG

Actually, in FP2 the limitation is 50k connections per destination ip address. Atleast that's what the cp docs say (haven't reached this limit yet).

 

Lars

-----Original Message-----
From: Russell Washington [mailto:russ.washington@VAULTSENTRY.COM]
Sent: Wednesday, June 05, 2002 18:12
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] NAT limitation on NG

I'm speaking from my general knowledge of NAT/PAT rather than anything Checkpoint-specific here, But theoretically, 64K is probably about the limit based on a scenario where each private IP has a single connection (i.e., port associated with the public address) to the outside world.  No more ports = no more talking.

 

Realistically, as a given private IP can open up several sessions at once and consume multiple ports from that public IP, the number is going to be much lower.  How much lower?  Don't know, but whatever it is it's traffic-dependent.