cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1584
Views
0
Helpful
1
Replies

Dynamic NAT vs Dynamic PAT for DMZ

ronbuchalski
Level 1
Level 1

For years, our firewall has been configured with a set of dynamic NAT rules in the DMZ, to dynamically assign an IP address in the DMZ for incoming connections from hosts on the Inside.  The pool was set up as the block of addresses in the /24 network (192.168.200.1 - 192.168.200.99).

Well, we periodically run into problems where the number of simultaneous connections from Inside hosts to DMZ hosts exceeds 99, so any additional connection attempts are refused, because the dynamic address pool is depleted.  (We have nearly 5000 inside hosts)

So, I have two questions:

1) Is there a reason why this address pool could be deleted and replaced with a dynamic PAT translation, where all incoming connections from the inside would be NATed to a single DMZ address, Similar to how Inside addresses are NATed to a single Outside address for internet connectivity.  If so, are there any drawbacks?  If not possible, why?

2) Is the reason for this NAT on incoming connections to the DMZ a security feature, to prevent DMZ hosts from opening connections to Inside hosts (unless specifically defined via static NAT and ACLs)?

Thanks in advance for your replies.

-rb

1 Reply 1

cadet alain
VIP Alumni
VIP Alumni

Hi,

1) yes it is doable, with PAT you can have  in theory up to 65535 connections using same natted IP

2) NAT from lower security-level to higher-security level was relaxed in FOS >= 7.1 where NAT-control was disabled.

Regards.

Alain.

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: