I have a couple of Stratum 2 NTP servers I have to move out to our DMZ. My problem is that the IP addresses they use are very well known and hard coded in appliances by many manufacturers. Futher complicating matters the subnets they reside upon are still in use by other hosts that have to remain inside our production network and will not be readdressed for a while.
In an ideal world I would simply readdress these servers into our DMZ address space then simply NAT the legacy addresses. The DMZ firewalls are currently PIX 525s (they will be upgraded to ASA5580s later next quarter but I have to get all the stuff out to the DMZ first).
As these are running NTP the question is:
Do PIXes NAT in Hardware? If not, we are concerned that processes on the control plane may cause variations in latency (i.e. jitter) that may affect the accuracy of the time reference.
These servers have a quiescent load of 40,000 sessions per hour and spike to loads in excess of 200,000 sessions per hour at times.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...