I plan to have 6 interfaces/security zones with several IPs representing multiple web server farms (thru a 3rd party load balancer). My question is this: would you design everything behind the firewall with private IPs and NAT them thru the firewall to the Public internet? Would there be a performance hit in doing it this way, e.g. CPU utilization? Our other choice is using our intended public IPs for the farms and access-list them at the firewall.
The Pix will perform NAT regardless if you use it or not. What I mean is if you decide to use public addresses on the dmz, you can disable NAT, which in essence tells the Pix to NAT the traffic from the dmz to the same address. There should be no performance hit since this is part of the normal process of the Pix.
Which pix firewall do you plan to use? The Pix 515 performs at about 180 mbps cleartext, the 525 performs about 300 Mbps cleartext, and the 535 performs at 1.7 gbps cleartext.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...