-----Original Message-----
From: Don Guyer [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 18, 2000 6:16 AM
To: CheckPoint List (E-mail)
Subject: RE: [FW1] Limit of addresses in NATPablo,
I don't know about any limits, but we're NATing at least double what you are with no problems.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 18, 2000 7:45 AM
To: [EMAIL PROTECTED]
Subject: [FW1] Limit of addresses in NAT
We are experiencing some system crash troubles with a NAT rule that hides 2
class B + 90 class C internal networks with the external IP address of the
firewall to allow internet navigation. Does anybody knows if Firewall 1
have a limit of IP address to hide with the external IP of the firewall?
Un saludo.
Pablo Garc�a.
------------------------------------------
Pablo Garc�a Peralta
Projects & Transitions, Iberia
Mediterranean Geoplex, IBM Global Services
Tlf: +34 91 3976611 Fax: +34 91 5193987 Cell: + 34 629 167302
e-mail: [EMAIL PROTECTED]
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
Title: RE: [FW1] Limit of addresses in NAT
This
is something I have kicked around in my head for some time. Please feel
free to respond with my technical inaccuracies.
It is
not the number being NATed, but the actual number of simultaneous
connections. If you are only using one NAT hide rule, you only have 1 ip
address in use which limits the possible number of return ports (client ports)
which can be opened at once.
Socket
= ip + protocol + port (1023 port are well-known and will not be
used)
That
only leaves 65,536 - 1023 dynamic ports possible then (Unless registered ports
are in use as well, which gives you less)
So
64,000 plus connections will kill you. That's 64,000 TCP connections
through the firewall. Each person could have up to 10-20 going at once if
they are high traffic, multiple browser, ftp, napster, kinda
people.
A
class B address, if everyone were to establish sessions on http would actually
break it all
by
itself.
A lot
of firewall solutions allow you to create a pool instead of using a single IP
address, but Check Point does not.
An
easy solution would be to hide NAT each network with a different IP address, or
at minumum hide the class B and all the class Cs separately.
- [FW1] Limit of addresses in NAT pablo_garcia_peralta
- RE: [FW1] Limit of addresses in NAT Don Guyer
- Scott Schindler
