I have a couple of Stratum 2 NTP servers I have to move out to our DMZ. My problem is that the IP addresses they use are very well known and hard coded in appliances by many manufacturers. Futher complicating matters the subnets they reside upon are still in use by other hosts that have to remain inside our production network and will not be readdressed for a while.
In an ideal world I would simply readdress these servers into our DMZ address space then simply NAT the legacy addresses. The DMZ firewalls are currently PIX 525s (they will be upgraded to ASA5580s later next quarter but I have to get all the stuff out to the DMZ first).
As these are running NTP the question is:
Do PIXes NAT in Hardware? If not, we are concerned that processes on the control plane may cause variations in latency (i.e. jitter) that may affect the accuracy of the time reference.
These servers have a quiescent load of 40,000 sessions per hour and spike to loads in excess of 200,000 sessions per hour at times.
NAT on PIX or ASA is not processed by the hardware, however, it should be capable of doing 200,000 NTP sessions per hour.
Here is the datasheet for PIX525 for your reference on what it could handle:
Hope that helps.
NAT always happens at cpu. We have not seen any issues with NTP server behind natted address.