Hi Ibariouen, Enough in this case can mean different things. Enough for what?
Usually not enough means that each external IP ‘generate’ too many simultaneous and new (per second) sessions. This can trigger an attack defence mechanisms on popular sites, etc. But ‘too many’ is also quite not clear definition, but it is harder to justify. You can check how many sessions has each IP as a source with ‘get session info’ command. You see total sessions and dividing them by the number of IPs you can get the number of sessions per external IP. The same with new sessions: issue ‘get perf session detail’. There is one tricky thing here. The values you get dividing the total numbers of [new] sessions by the number of external IP, can be either exact or average. If you do not use dip stickiness (by default it is off), the sessions are distributed uniformly over the pool—each new session is translated to the next IP on round-robin basis. If you do, than there is a dispersion due to each internal IP is always hardly mapped to an external one while it has active sessions. In most situations people switch the stickiness on to get multisession services (like IKE without ALG or even FTP) work properly. You can check if the stickness is on with ‘get dip’ command. If you see ‘Port-xlated dip stickness on’ in its output, then the numbers of sessions per IP are average, not exact. In this case you have to keep in mind that the actual maximum of sessions per IP can be much higher that the average since there are more and less active users. The numbers of sessions generated by them can differ tenfold and more. I believe in your particular case you will receive tens of thousands of simultaneous and at least early thousands of new sessions per external IP. Believe me, it s TOO many. ICQ and others should definitely block your users. -- Regards, Pavel 2010/3/24 Ibariouen Khalid <ibariouen.kha...@ericsson.com> > > Hi all > > Actually we are Nating around 11500 active internet users by a ISG-2000 > with 4 public Ip addresses > > As my understanding the NAT is done per session not per user. > Can you please tell me how to check if those ip addresses are enough or not > ? > > BR/ > > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
