PAT v/s NAT performance on PIX515e

Discussion in 'Cisco' started by John Smith, Nov 23, 2004.

  1. John Smith

    John Smith Guest

    does anyone know if there is a performance advantage to using a global pool
    for nat'ing, versus pat'ing a single address for outbound connections?

    -thanks
     
    John Smith, Nov 23, 2004
    #1
    1. Advertising

  2. In article <>,
    John Smith <> wrote:
    :does anyone know if there is a performance advantage to using a global pool
    :for nat'ing, versus pat'ing a single address for outbound connections?

    In theory, there should be a small advantage in doing that. If you
    have an inside host that has multiple flows to the -same- outside
    host, then in the global pool case, it is not necessary to create a
    new translation for each such access; whereas with PAT it is always
    necessary to create a new translation.

    The advantage is not going to be very large, though. For the PAT case,
    the PIX keeps a running counter of the next port in sequence so
    what the PIX does is just increment the counter, double-check that
    the port isn't already in use (or statically mapped), populate the
    interface flow table and manipulate the outside ACL to permit the
    reply. In both cases, the PIX has to proceed to keep a record of
    the existance of the outgoing connection and in both cases the
    PIX has to potentially create a "local-host" container first
    [local-host containers exist on all PIXes now; the PIX 501 is
    the only one that limits the number of them but they all create them.]

    All in all, I would say that if you are in a situation in which
    the performance difference is enough to be significant, you should
    be upgrading to a faster PIX. I don't recall ever hearing that low
    latency in connection creation was part of the PIX design goals.
    --
    Rump-Titty-Titty-Tum-TAH-Tee -- Fritz Lieber
     
    Walter Roberson, Nov 23, 2004
    #2
    1. Advertising

  3. John Smith

    John Smith Guest

    I purposely didn't elaborate on the scenario in my original post b/c i
    wanted to see if there was a 'general' answer first...that said, what i have
    is a 515E for a small business (<30 users) and we (my company) have given
    them 5 of our registered class C addresses for NAT/PAT.. I would like to
    reclaim atleast 3 of those, leave them with 2, one for a static entry for
    their internal email server, and one for PAT for outbound connections (their
    external interface actually)...they are not a major production environment
    or anything. I was just wondering if my predecessor gave them the class C's
    for a performance reason (i've checked, and there is no policy behind this
    decision either)...sounds like they should be ok if i take a few away - they
    probably wont even notice...

    -thanks

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:cnvgoq$jt6$...
    > In article <>,
    > John Smith <> wrote:
    > :does anyone know if there is a performance advantage to using a global
    > pool
    > :for nat'ing, versus pat'ing a single address for outbound connections?
    >
    > In theory, there should be a small advantage in doing that. If you
    > have an inside host that has multiple flows to the -same- outside
    > host, then in the global pool case, it is not necessary to create a
    > new translation for each such access; whereas with PAT it is always
    > necessary to create a new translation.
    >
    > The advantage is not going to be very large, though. For the PAT case,
    > the PIX keeps a running counter of the next port in sequence so
    > what the PIX does is just increment the counter, double-check that
    > the port isn't already in use (or statically mapped), populate the
    > interface flow table and manipulate the outside ACL to permit the
    > reply. In both cases, the PIX has to proceed to keep a record of
    > the existance of the outgoing connection and in both cases the
    > PIX has to potentially create a "local-host" container first
    > [local-host containers exist on all PIXes now; the PIX 501 is
    > the only one that limits the number of them but they all create them.]
    >
    > All in all, I would say that if you are in a situation in which
    > the performance difference is enough to be significant, you should
    > be upgrading to a faster PIX. I don't recall ever hearing that low
    > latency in connection creation was part of the PIX design goals.
    > --
    > Rump-Titty-Titty-Tum-TAH-Tee -- Fritz Lieber
     
    John Smith, Nov 23, 2004
    #3
  4. In article <>,
    John Smith <> wrote:
    :what i have
    :is a 515E for a small business (<30 users) and we (my company) have given
    :them 5 of our registered class C addresses for NAT/PAT.. I would like to
    :reclaim atleast 3 of those

    :I was just wondering if my predecessor gave them the class C's
    :for a performance reason

    Probably not for performance reasons. Do a "show cpu" on the PIX
    and if the load isn't above 40% then don't give the performance
    implications even a minor thought.

    Keep in mind, though, that PAT can't handle everything. It used
    to be more noticable; Cisco has been adding more "fixup"'s over time.

    One instance in which it would have been noticable would have been
    if they were using VPN software to connect to another site: VPNs
    and PAT are an uneasy mix (made easier by the recent introduction
    of isakmp nat-traversal).
    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers
     
    Walter Roberson, Nov 23, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steve Holdoway
    Replies:
    0
    Views:
    1,280
    Steve Holdoway
    Jul 10, 2003
  2. BinSur
    Replies:
    4
    Views:
    5,900
    BinSur
    Jan 13, 2006
  3. spec
    Replies:
    2
    Views:
    1,494
    Walter Roberson
    May 25, 2006
  4. Knokmans

    PIX515E slow NAT

    Knokmans, Aug 17, 2007, in forum: Cisco
    Replies:
    4
    Views:
    547
    Knokmans
    Aug 21, 2007
  5. Steven Carr
    Replies:
    7
    Views:
    789
Loading...

Share This Page