1) why not just use public ips? 2) why not (if not 1) have more than 1 outbound path/nat-device?
On Tue, Dec 3, 2013 at 5:05 PM, Andy Litzinger <andy.litzin...@theplatform.com> wrote: > Hi all, > We have a pool of around 100 file transfer clients. They reach out to > publicly addressed servers on the net to get and put files. Rather than burn > 100 public v4 addresses for the clients, we've traditionally had these guys > behind a firewall performing source NAT/PAT overloading about 10 IPs. > > Recently we've been seeing increases in the amount of throughput to/from the > servers through the FW. Within the next 12 mos I expect we'll want to > support 10Gbps. Since buying a firewall that supports 10Gbps is fairly > expensive I thought i'd seek out alternative ideas before we blindly purchase > a bigger firewall. Also, a stateful firewall seems like a bit of overkill > for what is actually required. I'm confident we can limit our FTP support to > passive connections which should remove the requirement of using a device > that supports active FTP (i.e. application inspection). > > currently we're using a Juniper SRX550 to do this (which replaced an > overwhelmed ASA 5520). Avg packet size we see according to the SRX is 1000 > bytes. > > thanks! > -andy