https://community.cisco.com/t5/network-security/effect-of-nat-using-pixes-on-ntp/m-p/1480483#M652515 <HTML><HEAD></HEAD><BODY><P>Thanks but the data sheet does not indicate what the latency or jitter of a loaded PIX performing NAT is.</P><P></P><P>I suspect the only way to tell is empirically by trying it out and let the physicists monitor the service.</P></BODY></HTML> Mon, 16 Aug 2010 13:30:53 GMT GrumpyBear 2010-08-16T13:30:53Z https://community.cisco.com/t5/network-security/effect-of-nat-using-pixes-on-ntp/m-p/1480480#M652512 <P>Hello,</P><P></P><P>I have a couple of Stratum 2 NTP servers I have to move out to our DMZ.&nbsp; My problem is that the IP addresses they use are very well known and hard coded in appliances by many manufacturers.&nbsp; Futher complicating matters the subnets they reside upon are still in use by other hosts that have to remain inside our production network and will not be readdressed for a while.</P><P></P><P>In an ideal world I would simply readdress these servers into our DMZ address space then simply NAT the legacy addresses.&nbsp; The DMZ firewalls are currently PIX 525s (they will be upgraded to ASA5580s later next quarter but I have to get all the stuff out to the DMZ first).</P><P></P><P>As these are running NTP the question is:</P><P></P><P>Do PIXes NAT in Hardware?&nbsp; If not, we are concerned that processes on the control plane may cause variations in latency (i.e. jitter) that may affect the accuracy of the time reference.</P><P></P><P>These servers have a quiescent load of 40,000 sessions per hour and spike to loads in excess of 200,000 sessions per hour at times.</P> Mon, 11 Mar 2019 18:25:29 GMT https://community.cisco.com/t5/network-security/effect-of-nat-using-pixes-on-ntp/m-p/1480480#M652512 GrumpyBear 2019-03-11T18:25:29Z https://community.cisco.com/t5/network-security/effect-of-nat-using-pixes-on-ntp/m-p/1480481#M652513 <HTML><HEAD></HEAD><BODY><P>NAT always happens at cpu. We have not seen any issues with NTP server behind natted address.</P><P></P><P>- AD</P></BODY></HTML> Sat, 14 Aug 2010 00:07:00 GMT https://community.cisco.com/t5/network-security/effect-of-nat-using-pixes-on-ntp/m-p/1480481#M652513 andhingr 2010-08-14T00:07:00Z https://community.cisco.com/t5/network-security/effect-of-nat-using-pixes-on-ntp/m-p/1480482#M652514 <HTML><HEAD></HEAD><BODY><P>NAT on PIX or ASA is not processed by the hardware, however, it should be capable of doing 200,000 NTP sessions per hour.</P><P></P><P>Here is the datasheet for PIX525 for your reference on what it could handle:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/ps2118/product_data_sheet09186a0080091b09.html">http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/ps2118/product_data_sheet09186a0080091b09.html</A></P><P></P><P>Hope that helps.</P></BODY></HTML> Sat, 14 Aug 2010 00:12:50 GMT https://community.cisco.com/t5/network-security/effect-of-nat-using-pixes-on-ntp/m-p/1480482#M652514 Jennifer Halim 2010-08-14T00:12:50Z https://community.cisco.com/t5/network-security/effect-of-nat-using-pixes-on-ntp/m-p/1480483#M652515 <HTML><HEAD></HEAD><BODY><P>Thanks but the data sheet does not indicate what the latency or jitter of a loaded PIX performing NAT is.</P><P></P><P>I suspect the only way to tell is empirically by trying it out and let the physicists monitor the service.</P></BODY></HTML> Mon, 16 Aug 2010 13:30:53 GMT https://community.cisco.com/t5/network-security/effect-of-nat-using-pixes-on-ntp/m-p/1480483#M652515 GrumpyBear 2010-08-16T13:30:53Z