Dynamic NAT vs Dynamic PAT for DMZ

ronbuchalski · ‎10-10-2012

For years, our firewall has been configured with a set of dynamic NAT rules in the DMZ, to dynamically assign an IP address in the DMZ for incoming connections from hosts on the Inside. The pool was set up as the block of addresses in the /24 network (192.168.200.1 - 192.168.200.99).

Well, we periodically run into problems where the number of simultaneous connections from Inside hosts to DMZ hosts exceeds 99, so any additional connection attempts are refused, because the dynamic address pool is depleted. (We have nearly 5000 inside hosts)

So, I have two questions:

1) Is there a reason why this address pool could be deleted and replaced with a dynamic PAT translation, where all incoming connections from the inside would be NATed to a single DMZ address, Similar to how Inside addresses are NATed to a single Outside address for internet connectivity. If so, are there any drawbacks? If not possible, why?

2) Is the reason for this NAT on incoming connections to the DMZ a security feature, to prevent DMZ hosts from opening connections to Inside hosts (unless specifically defined via static NAT and ACLs)?

Thanks in advance for your replies.

-rb

cadet alain · ‎10-10-2012

Hi,

1) yes it is doable, with PAT you can have in theory up to 65535 connections using same natted IP

2) NAT from lower security-level to higher-security level was relaxed in FOS >= 7.1 where NAT-control was disabled.

Regards.

Alain.

Don't forget to rate helpful posts.