cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
537
Views
0
Helpful
3
Replies

Real IP vs. Nat in the DMZ

k.nebroski
Level 1
Level 1

I'm having issues with my PIX 515E running 6.3(3). We have several different servers with real internet 64.xxx addresses already assigned. I need to setup a outside,DMZ, inside and 1 other zone. My Internet provider has allocated one other IP for the outside interface and I have 128 addresses for my DMZ machines. Would it be better ( more efficient,etc) to use a non-routeable IP addresses for those DMZ machines and let the PIX nat them, or is it the same to just assign them there real addresses?

Thanks in advanced.

Kevin

3 Replies 3

ehirsel
Level 6
Level 6

Does the orginization that you work for own the real 64.xxx addresses? Or were they already provided for you by the service provider? If you own the addresses, then the advantage of using the real ip is that it won't change (unless you merger with another org and for some reason have to hand the real ip's back) If you don't own the address, and wind up changing providers later on, then using NAT has the advantage of not rec-configuring the DMZ devices during the provider change over.

Another area to look for is if you are using protocols in the DMZ that do not lend themselves well to NAT. If this is not your case then one other factor to examine is this: if you decide to use NAT, what is the level of difficulty that you will face during the IP address change (i.e., LDAP database reconfiguration, dhcp/dns, internal route changes).

As far as the pix firewall is concerned, it will operate at the basically the same level of efficiency whether or not you use nat - I would be surprised if the traffic takes one more millisecond to process due to NAT. I have not read doc anywhere that suggests that the PIX performs less due to nat/pat.

My opinion is to figure out what internal route and internal/external dns and config changes need to be done to accomodate a real-to-private ip address change and let that be your determining factor,. An this assumes that you own your address. If not, you may want to keep the real as is, but go thru the what-if-I change exericize to realize what needs done in the case of a provicer change.

Let me know if this helps.

Thanks for the reply. We don't own the addresses, but don't see a change for quite some time. Our DMZ servers are built and with any luck I shouldn't have to change any of them. My issue is that I have a couple of 1720 routers now looking after 4 zones, and when I implemented the PIX using the same 4 zone addresses I funny things happening like my mail server not being able to send to one site out of about 75. Also I had what seem to be time-out type problems between my internal zones. And I was wondering if it was because my dmz machines had the real address and a couple of them access devices in my inside zone.

Please post your pix config, and also run the show timeout command and post them here, scrubbing sensitive info.

Also, let me know the host ip address of the mail server, and if mail guard is turned on.

I'll see if I can help fix your issues.