More secure to not use interface IP in NAT?

[Cooky]

We're about to deploy a new firewall w/ a new Internet circuit at a remote site.
Instead of using the external interface IP to do NAT overloading, I'd like to use a different IP.
My thought was if that NAT IP is under attack, we can choose to use a different IP, or some other action, but still maintain connectivity, basically w/ more options & granularity.

That's what we're already doing at our head-end datacenters, but this would be the first at a remote campus.

Do most people do it this way as well, or they mostly just use the interface IP for simplicity?

 

[alkemyst]

You'd have to have multiple OUTSIDE IPs to use then. If that is the case, then it works just like any NAT...however; I don't see the advantage because if the OUTSIDE IP is compromised you'd have to change again.

Maybe I am missing something you are explaining.

 

[Cooky]

That's it - there's a pool of IP's we can rotate through.
If interface IP's under attack though, it's a hassle to change it w/ the carrier.

 

[alkemyst]

That's it - there's a pool of IP's we can rotate through.
If interface IP's under attack though, it's a hassle to change it w/ the carrier.

You would need routing, I haven't done this...but it doesn't solve the problem if your public IP is violated at the very top level.