03-27-2003 01:59 PM - edited 03-09-2019 02:40 AM
I plan to have 6 interfaces/security zones with several IPs representing multiple web server farms (thru a 3rd party load balancer). My question is this: would you design everything behind the firewall with private IPs and NAT them thru the firewall to the Public internet? Would there be a performance hit in doing it this way, e.g. CPU utilization? Our other choice is using our intended public IPs for the farms and access-list them at the firewall.
Thanks in advance.
03-27-2003 06:05 PM
The Pix will perform NAT regardless if you use it or not. What I mean is if you decide to use public addresses on the dmz, you can disable NAT, which in essence tells the Pix to NAT the traffic from the dmz to the same address. There should be no performance hit since this is part of the normal process of the Pix.
Which pix firewall do you plan to use? The Pix 515 performs at about 180 mbps cleartext, the 525 performs about 300 Mbps cleartext, and the 535 performs at 1.7 gbps cleartext.
peter
03-27-2003 06:15 PM
OK, bear with me, I have many questions.
1. What would be the performance hit with NAT on the DMZ? If we have significant inter-zone traffic (across interfaces) what are the performance limits?
2. So if we use public IPs on the DMZ, there should be no issue, since we can disable NAT?
3. We are planning to use the 525, with the failover option. Can the second 525 be used in an active-active config?
Thanks in advance,
Jericho
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: