For years, our firewall has been configured with a set of dynamic NAT rules in the DMZ, to dynamically assign an IP address in the DMZ for incoming connections from hosts on the Inside. The pool was set up as the block of addresses in the /24 network (192.168.200.1 - 192.168.200.99).
Well, we periodically run into problems where the number of simultaneous connections from Inside hosts to DMZ hosts exceeds 99, so any additional connection attempts are refused, because the dynamic address pool is depleted. (We have nearly 5000 inside hosts)
So, I have two questions:
1) Is there a reason why this address pool could be deleted and replaced with a dynamic PAT translation, where all incoming connections from the inside would be NATed to a single DMZ address, Similar to how Inside addresses are NATed to a single Outside address for internet connectivity. If so, are there any drawbacks? If not possible, why?
2) Is the reason for this NAT on incoming connections to the DMZ a security feature, to prevent DMZ hosts from opening connections to Inside hosts (unless specifically defined via static NAT and ACLs)?
Thanks in advance for your replies.
-rb