Advice on v4 NAT for farm of file transfer clients
Hi all, We have a pool of around 100 file transfer clients. They reach out to publicly addressed servers on the net to get and put files. Rather than burn 100 public v4 addresses for the clients, we've traditionally had these guys behind a firewall performing source NAT/PAT overloading about 10 IPs. Recently we've been seeing increases in the amount of throughput to/from the servers through the FW. Within the next 12 mos I expect we'll want to support 10Gbps. Since buying a firewall that supports 10Gbps is fairly expensive I thought i'd seek out alternative ideas before we blindly purchase a bigger firewall. Also, a stateful firewall seems like a bit of overkill for what is actually required. I'm confident we can limit our FTP support to passive connections which should remove the requirement of using a device that supports active FTP (i.e. application inspection). currently we're using a Juniper SRX550 to do this (which replaced an overwhelmed ASA 5520). Avg packet size we see according to the SRX is 1000 bytes. thanks! -andy
1) why not just use public ips? 2) why not (if not 1) have more than 1 outbound path/nat-device? On Tue, Dec 3, 2013 at 5:05 PM, Andy Litzinger <Andy.Litzinger@theplatform.com> wrote:
Hi all, We have a pool of around 100 file transfer clients. They reach out to publicly addressed servers on the net to get and put files. Rather than burn 100 public v4 addresses for the clients, we've traditionally had these guys behind a firewall performing source NAT/PAT overloading about 10 IPs.
Recently we've been seeing increases in the amount of throughput to/from the servers through the FW. Within the next 12 mos I expect we'll want to support 10Gbps. Since buying a firewall that supports 10Gbps is fairly expensive I thought i'd seek out alternative ideas before we blindly purchase a bigger firewall. Also, a stateful firewall seems like a bit of overkill for what is actually required. I'm confident we can limit our FTP support to passive connections which should remove the requirement of using a device that supports active FTP (i.e. application inspection).
currently we're using a Juniper SRX550 to do this (which replaced an overwhelmed ASA 5520). Avg packet size we see according to the SRX is 1000 bytes.
thanks! -andy
participants (2)
-
Andy Litzinger
-
Christopher Morrow