cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
227
Views
0
Helpful
2
Replies

PIX525, NAT, and multiple interfaces

jrchgtrrz
Level 1
Level 1

I plan to have 6 interfaces/security zones with several IPs representing multiple web server farms (thru a 3rd party load balancer). My question is this: would you design everything behind the firewall with private IPs and NAT them thru the firewall to the Public internet? Would there be a performance hit in doing it this way, e.g. CPU utilization? Our other choice is using our intended public IPs for the farms and access-list them at the firewall.

Thanks in advance.

2 Replies 2

pcomeaux
Cisco Employee
Cisco Employee

The Pix will perform NAT regardless if you use it or not. What I mean is if you decide to use public addresses on the dmz, you can disable NAT, which in essence tells the Pix to NAT the traffic from the dmz to the same address. There should be no performance hit since this is part of the normal process of the Pix.

Which pix firewall do you plan to use? The Pix 515 performs at about 180 mbps cleartext, the 525 performs about 300 Mbps cleartext, and the 535 performs at 1.7 gbps cleartext.

peter

OK, bear with me, I have many questions.

1. What would be the performance hit with NAT on the DMZ? If we have significant inter-zone traffic (across interfaces) what are the performance limits?

2. So if we use public IPs on the DMZ, there should be no issue, since we can disable NAT?

3. We are planning to use the 525, with the failover option. Can the second 525 be used in an active-active config?

Thanks in advance,

Jericho

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: