Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
226
Views
0
Helpful
2
Replies

Any Performance Degradation with NATing?

haithamnofal
Level 3
Level 3

‎05-16-2006 12:34 AM - edited ‎03-09-2019 02:55 PM

Hi There,

I have an agent which sends syslog messages to a syslog server on a different zone through my PIX 535 FW. The number of events which my agent sends can reach up to 100 million events per day. My questions are:

1- If I configured NATing between these 2 zones, will their be any performance degradation on the PIX 535 FW. In other words, is there a certian limitation to the number of connections I can do NATing for in PIX?

2- Would their be any improvement if I configured regular routing (i.e. if I configured the "static" command to route the subnet and to do any translation (e.g. static (dmz1,dmz2) 10.10.10.10 10.10.10.10 net 255.255.255.255) over the regular NATing (NAT and Global), will this minimize the overhead on the PIX?

3- Would it make any difference if the translated connections were TCP or UDP (i.e. will the overhead be lower on my PIX if the traffic was UDP traffic)?

Appreciate any input on this.

Thanks,

Haitham

Labels:
0 Helpful
2 Replies 2

Fernando_Meza
Level 7
Level 7

‎05-16-2006 09:15 PM

Hi ... in regards to your questions:

1.- when you use static NAT you can limit the ammount of simultaneows connections and also the ammount of half open sessions. By default these are set to unlimited.

2.- I am not really sure what you mean .

3.- because of the nature of TCP ( connection oriented ) compared to UDP ( connectionless ). The firewall will use more resources maintaning TCp sessions than UDP ones.

I hope it helps .. please rate it it fit does !!!

0 Helpful

haithamnofal
Level 3
Level 3
In response to Fernando_Meza

‎05-16-2006 10:51 PM

Hi Fernando,

Thanks for your response... I know that theoritically the number is unlimited in terms of number of sessions and static translations the PIX can handle but is it practicially feasible to implement this or would it affect the performance of my PIX?

Point#2 is related to my question above, so if I used routing instead of NATing between the 2 zones I'm having communication between them, will this offload some of the resource utilization as compared to NATing?

In summary, would you recommend me going ahead with doing static translation for hundred millions of connections per day?

Thanks,

Haitham

0 Helpful
Customers Also Viewed These Support Documents