Effect of NAT using PIXes on NTP

Answered Question
Aug 13th, 2010


I have a couple of Stratum 2 NTP servers I have to move out to our DMZ.  My problem is that the IP addresses they use are very well known and hard coded in appliances by many manufacturers.  Futher complicating matters the subnets they reside upon are still in use by other hosts that have to remain inside our production network and will not be readdressed for a while.

In an ideal world I would simply readdress these servers into our DMZ address space then simply NAT the legacy addresses.  The DMZ firewalls are currently PIX 525s (they will be upgraded to ASA5580s later next quarter but I have to get all the stuff out to the DMZ first).

As these are running NTP the question is:

Do PIXes NAT in Hardware?  If not, we are concerned that processes on the control plane may cause variations in latency (i.e. jitter) that may affect the accuracy of the time reference.

These servers have a quiescent load of 40,000 sessions per hour and spike to loads in excess of 200,000 sessions per hour at times.

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 4 months ago

NAT on PIX or ASA is not processed by the hardware, however, it should be capable of doing 200,000 NTP sessions per hour.

Here is the datasheet for PIX525 for your reference on what it could handle:


Hope that helps.

Correct Answer by andhingr about 6 years 4 months ago

NAT always happens at cpu. We have not seen any issues with NTP server behind natted address.

- AD

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Correct Answer
andhingr Fri, 08/13/2010 - 17:07

NAT always happens at cpu. We have not seen any issues with NTP server behind natted address.

- AD

GrumpyBear Mon, 08/16/2010 - 06:30

Thanks but the data sheet does not indicate what the latency or jitter of a loaded PIX performing NAT is.

I suspect the only way to tell is empirically by trying it out and let the physicists monitor the service.


This Discussion