cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1126
Views
0
Helpful
1
Replies
Highlighted
Beginner

Dynamic NAT vs Dynamic PAT for DMZ

For years, our firewall has been configured with a set of dynamic NAT rules in the DMZ, to dynamically assign an IP address in the DMZ for incoming connections from hosts on the Inside.  The pool was set up as the block of addresses in the /24 network (192.168.200.1 - 192.168.200.99).

Well, we periodically run into problems where the number of simultaneous connections from Inside hosts to DMZ hosts exceeds 99, so any additional connection attempts are refused, because the dynamic address pool is depleted.  (We have nearly 5000 inside hosts)

So, I have two questions:

1) Is there a reason why this address pool could be deleted and replaced with a dynamic PAT translation, where all incoming connections from the inside would be NATed to a single DMZ address, Similar to how Inside addresses are NATed to a single Outside address for internet connectivity.  If so, are there any drawbacks?  If not possible, why?

2) Is the reason for this NAT on incoming connections to the DMZ a security feature, to prevent DMZ hosts from opening connections to Inside hosts (unless specifically defined via static NAT and ACLs)?

Thanks in advance for your replies.

-rb

1 REPLY 1
Highlighted
Advisor

Hi,

1) yes it is doable, with PAT you can have  in theory up to 65535 connections using same natted IP

2) NAT from lower security-level to higher-security level was relaxed in FOS >= 7.1 where NAT-control was disabled.

Regards.

Alain.

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Content for Community-Ad