Speed,
and capability as well. You need to know (or at least have a rough idea) how
many concurrrent connections will be going through the firewall. NAT can
seriously drain the 25,000 default connections because it requires 2x
the connections running through the firewall. This ordinarily does not
present a problem on smaller sites, however if you anticipate your site will be
hugely popular (dont we all) such as a large ecommerce site, you might want to
consider not natting to the DMZ. There are ways to go beyond 25,000 connections,
that are documented at Phoneboy. But then you start having preformance issues as
indicated by CryptoTech. I suppose there are some advantages to natting the DMZ
such as flexibility in addressing, and limiting the ability for you or others to
to shoot yourself in the foot, and the #1 reason lack of valid address space.
Many times the situation is one that you have little or no choice to NAT the
DMZ. However if you do have the choice, and practice reasonably good management
of the firewall and DMZ, I see no reason to NAT the DMZ. Bear in mind if
you do not NAT the DMZ your antispoofing rules become more critical than ever
before.
Frank
Speed. Firewall load. Latency.
NAT modifies every packet involved in the rule, and thus add latency. If
you are running 100mb or higher, you probably don't want to use nat
HTH, CryptoTech
Brian Burns wrote:
I am doing a redesign of our existing network
and have been asked to use private addressing with NAT. I am not pro/against
it - but I have always used valid addresses on my DMZ
servers. So... why would
one want to use NAT on your DMZ devices? Comments? Brian
|