Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
0
Helpful
3
Replies

Effect of NAT using PIXes on NTP

Go to solution
GrumpyBear
Level 1
Level 1

‎08-13-2010 12:54 PM - edited ‎03-11-2019 11:25 AM

Hello,

I have a couple of Stratum 2 NTP servers I have to move out to our DMZ.  My problem is that the IP addresses they use are very well known and hard coded in appliances by many manufacturers.  Futher complicating matters the subnets they reside upon are still in use by other hosts that have to remain inside our production network and will not be readdressed for a while.

In an ideal world I would simply readdress these servers into our DMZ address space then simply NAT the legacy addresses.  The DMZ firewalls are currently PIX 525s (they will be upgraded to ASA5580s later next quarter but I have to get all the stuff out to the DMZ first).

As these are running NTP the question is:

Do PIXes NAT in Hardware?  If not, we are concerned that processes on the control plane may cause variations in latency (i.e. jitter) that may affect the accuracy of the time reference.

These servers have a quiescent load of 40,000 sessions per hour and spike to loads in excess of 200,000 sessions per hour at times.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
andhingr
Cisco Employee
Cisco Employee

‎08-13-2010 05:07 PM

NAT always happens at cpu. We have not seen any issues with NTP server behind natted address.

- AD

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-13-2010 05:12 PM

NAT on PIX or ASA is not processed by the hardware, however, it should be capable of doing 200,000 NTP sessions per hour.

Here is the datasheet for PIX525 for your reference on what it could handle:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/ps2118/product_data_sheet09186a0080091b09.html

Hope that helps.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
andhingr
Cisco Employee
Cisco Employee

‎08-13-2010 05:07 PM

NAT always happens at cpu. We have not seen any issues with NTP server behind natted address.

- AD

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-13-2010 05:12 PM

NAT on PIX or ASA is not processed by the hardware, however, it should be capable of doing 200,000 NTP sessions per hour.

Here is the datasheet for PIX525 for your reference on what it could handle:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/ps2118/product_data_sheet09186a0080091b09.html

Hope that helps.

0 Helpful

Go to solution
GrumpyBear
Level 1
Level 1
In response to Jennifer Halim

‎08-16-2010 06:30 AM

Thanks but the data sheet does not indicate what the latency or jitter of a loaded PIX performing NAT is.

I suspect the only way to tell is empirically by trying it out and let the physicists monitor the service.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card