NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Opinon Requested - to NAT or not to NAT DMZ Addresses



Speed, and capability as well. You need to know (or at least have a rough idea) how many concurrrent connections will be going through the firewall. NAT can seriously drain the 25,000 default connections because it requires 2x the connections running through the firewall. This ordinarily does not present a problem on smaller sites, however if you anticipate your site will be hugely popular (dont we all) such as a large ecommerce site, you might want to consider not natting to the DMZ. There are ways to go beyond 25,000 connections, that are documented at Phoneboy. But then you start having preformance issues as indicated by CryptoTech. I suppose there are some advantages to natting the DMZ such as flexibility in addressing, and limiting the ability for you or others to to shoot yourself in the foot, and the #1 reason lack of valid address space. Many times the situation is one that you have little or no choice to NAT the DMZ. However if you do have the choice, and practice reasonably good management of the firewall and DMZ, I see no reason to NAT the DMZ. Bear in mind if you do not NAT the DMZ your antispoofing rules become more critical than ever before.
 
 
Frank
 
-----Original Message-----
From: CryptoTech [mailto:[email protected]]
Sent: Saturday, November 11, 2000 9:20 AM
To: Brian Burns
Cc: [email protected]
Subject: Re: [FW1] Opinon Requested - to NAT or not to NAT DMZ Addresses

Speed.  Firewall load.  Latency.  NAT modifies every packet involved in the rule, and thus add latency.  If you are running 100mb or higher, you probably don't want to use nat

HTH,
CryptoTech

Brian Burns wrote:

I am doing a redesign of our existing network and have been asked to use private addressing with NAT. I am not pro/against it - but I have always used valid addresses on my DMZ servers. So... why would one want to use NAT on your DMZ devices? Comments? Brian


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.