📈 NAT / PAT Configuration
hosts
Enter number of inside hosts (1 or more).
Total concurrent users behind NAT
sess
Enter sessions per host (1–1000).
Typical: 20–50 office, 50–100 power user, 100+ server
IPs
Enter number of public IPs (1 or more).
Public IP addresses in NAT pool
Max usable ephemeral ports per public IP
Reserve capacity for bursts and platform overhead
Fraction of hosts active at peak time
Total Concurrent Sessions Needed
—
Was this calculator helpful?
Sources & Methodology
NAT session capacity from RFC 3022 and vendor documentation. Port ranges from IANA Service Name and Transport Protocol Port Number Registry. CGNAT from RFC 6598.
RFC 3022 — Traditional IP Network Address Translator (NAT)
Defines NAT and NAPT (Network Address and Port Translation) operation. Source for PAT session model, translation table structure, and port exhaustion mechanics.
IANA — Service Name and Transport Protocol Port Number Registry
Source for port number ranges: well-known ports 0 to 1023, registered ports 1024 to 49151, ephemeral ports 49152 to 65535. Usable PAT range typically 1024 to 65535 = 64,512 ports.
RFC 6598 — IANA-Reserved IPv4 Prefix for Shared Address Space (CGNAT)
Defines the 100.64.0.0/10 shared address space for CGNAT deployments. Source for CGNAT port block allocation model and subscriber-to-public-IP ratio guidance.
Methodology:
Peak sessions needed = Hosts x Sessions/host x Concurrency factor
Usable ports = Platform limit x (1 - Safety margin)
Required public IPs = ceil(Peak sessions / Usable ports per IP)
Port utilization = Peak sessions / (Public IPs x Usable ports per IP) x 100
Port utilization above 80% is a warning threshold. Above 95% indicates imminent port exhaustion risk under burst conditions.
Last reviewed: April 2026
How Is NAT/PAT Session Capacity Calculated?
PAT (Port Address Translation), also called NAT Overload, allows multiple inside hosts to share a single public IP address by differentiating their sessions using unique source port numbers. The TCP and UDP port field is 16 bits, giving 65,535 possible values. After reserving well-known ports (0 to 1023), approximately 64,512 ports are available for PAT allocation per public IP address per protocol.
Max sessions per IP = Available ports (64,000 to 65,000 practical)
Example — 1,000 hosts, 50 sessions each, 80% concurrency, Cisco ASA:
Peak sessions = 1,000 x 50 x 0.80 = 40,000 concurrent sessions
Usable ports with 20% margin = 65,000 x 0.80 = 52,000 ports/IP
Required public IPs = ceil(40,000 / 52,000) = 1 IP (with 77% utilization)
If sessions grow to 2,000 hosts: 80,000 sessions → 2 public IPs needed
Peak sessions = 1,000 x 50 x 0.80 = 40,000 concurrent sessions
Usable ports with 20% margin = 65,000 x 0.80 = 52,000 ports/IP
Required public IPs = ceil(40,000 / 52,000) = 1 IP (with 77% utilization)
If sessions grow to 2,000 hosts: 80,000 sessions → 2 public IPs needed
NAT Session Timeouts by Protocol
| Protocol / State | Cisco IOS Default | Cisco ASA Default | Impact |
|---|---|---|---|
| TCP Established | 86,400s (24hr) | 3,600s (1hr) | Long-lived idle sessions consume ports |
| TCP Half-open | 30s | 30s | SYN without completion |
| UDP | 300s (5min) | 30s | DNS, NTP, streaming UDP |
| ICMP | 60s | 2s | Ping, traceroute |
| TCP FIN/RST | 60s | 15s | Connection teardown |
CGNAT Port Block Allocation
Carrier-Grade NAT (CGNAT) assigns a fixed block of ports to each subscriber instead of dynamic allocation. A typical ISP might assign 1,000 to 4,000 ports per subscriber per public IP. This limits each subscriber to that many concurrent sessions per destination, preventing any single subscriber from exhausting the shared public IP. At 1,000 ports per subscriber, one public IP can serve 64 subscribers simultaneously (64,000 / 1,000).
💡 Port exhaustion warning signs: New TCP connection attempts failing while existing sessions work normally, DNS resolution timing out (many DNS clients use new ports per query), VoIP call setup failures while established calls continue, and application error messages about "connection refused" or "too many open files" on clients. Monitor NAT translation table utilization on your edge router to catch port exhaustion before it causes outages.
Frequently Asked Questions
A single public IP used for PAT can support approximately 64,000 to 65,000 concurrent sessions after reserving well-known ports 0 to 1023. This is shared across all inside hosts. Cisco ASA supports approximately 65,000 translations per public IP. In practice, a 20 to 30% safety margin is recommended, giving roughly 45,000 to 52,000 usable sessions per public IP.
NAT maps one private IP to one public IP (one-to-one). Each inside host needs its own public IP. PAT (NAT overload) maps multiple private IPs to one public IP using unique source port numbers to differentiate sessions. PAT allows hundreds or thousands of hosts to share a single public IP. PAT is the standard for home routers, most enterprise edges, and ISP NAT.
Total sessions = inside hosts x sessions per host x concurrency factor. Usable ports per IP = platform limit x (1 - safety margin). Required IPs = ceiling(total sessions / usable ports). Example: 5,000 users x 50 sessions x 80% concurrency = 200,000 sessions. 200,000 / 52,000 usable ports = 3.85, rounded up to 4 public IPs needed.
Port exhaustion occurs when all source port numbers on a public IP are in active NAT translations. Causes: too many concurrent sessions, long timeout values keeping idle ports occupied, applications that open many parallel connections (P2P, streaming, CDN), and CGNAT with too many subscribers per public IP. New connection attempts fail even when bandwidth is available.
CGNAT is a double NAT where the ISP assigns RFC 6598 shared addresses (100.64.0.0/10) to subscribers and then NATs these to public IPs at the ISP edge. One public IP can serve many subscribers but each subscriber gets a limited port block (typically 1,000 to 4,000 ports). CGNAT causes issues with peer-to-peer, VoIP, gaming, and hosted services that require inbound connections.
Timeouts vary by protocol and platform. TCP established: 1 to 24 hours. TCP half-open: 30 seconds. UDP: 30 to 300 seconds. ICMP: 2 to 60 seconds. Long TCP timeouts keep idle connections occupying ports. Reducing TCP established timeout to 1 hour and UDP timeout to 30 to 60 seconds in high-density environments frees ports faster without breaking active sessions.
The NAT translation table stores active private-to-public IP and port mappings. Each entry uses 200 to 500 bytes of memory. Cisco ASA supports up to 2 million translations. Enterprise IOS-XE routers support 1 to 8 million depending on memory. High-density CGNAT appliances support 100 million or more. Monitor table utilization on your platform to prevent memory exhaustion.
NAT processing is negligible on modern hardware. The main performance impacts are: port exhaustion causing connection failures, long session timeouts wasting ports, Application Layer Gateway (ALG) overhead for protocols like SIP and FTP that embed IP addresses in payloads, and CGNAT breaking peer-to-peer and inbound connections that require a consistent public IP and port mapping.
NAT64 translates IPv6 addresses to IPv4, enabling IPv6-only clients to reach IPv4 servers. It works with DNS64 which synthesizes AAAA records from A records to redirect clients through the NAT64 gateway. Unlike regular NAT44, NAT64 performs cross-protocol translation and is used in ISP and mobile carrier networks as part of IPv6 transition strategy.
RFC 6598 defines 100.64.0.0/10 (100.64.0.0 to 100.127.255.255) as shared address space specifically for CGNAT deployments. This range must not be routed on the public internet. It is distinct from RFC 1918 private ranges and should not be used in enterprise internal networks as it conflicts with ISP infrastructure addressing in CGNAT deployments.
Related Calculators