So I am a very large geek, and proud of it. It hurt to walk past a cupboard at work knowing there was 30+ Cisco PIX 501 firewalls sitting in there collecting dust. One day it dawned on me, I wonder how crap internet would be sitting behind 30 of those slow ass god awful to use and configure firewalls. So here are the results:
Network Diagram
(Click for larger image)
Sample PIX 501 conf:
[plain]
hostname fwX
password cisco
enable password cisco
domain-name cooperlees.com
ip address inside 10.N.0.1 255.255.255.0
ip address outside 10.N1.0.2 255.255.255.0
interface ethernet0 auto
interface ethernet1 100full
route outside 0 0 10.N1.0.1
nat (inside) 1 10.N.0.0 255.255.255.0
global (outside) 1 interface
access-list outbound permit any any
access-group outbound in interface inside
access-list ping_acl permit icmp any any
access-group ping_acl in interface outside
[/plain]
Video of the Results
[youtube https://www.youtube.com/watch?v=BrlwzZZp8tM&w=640&h=390]
Thanks to Jason Leschnik, Anthony Noonan, Kyle Seton and Chris Steven for their assistance.
I think the 12Mbps you saw was a result of the PIX’s CPU speed, since each packet needs to have its source or destination address edited while traversing the NAT table. You could also calculate the NAT latency as (47ms – 9ms (control) ) 30(number of nats).
If you want it to really go to shit, try applying an inspect policy on those PIX’s!
Great post.
Love it! What happened @ 31? Or did you run out of PIX’s?
I didn’t expect that to go so well. I would have liked to see a bucket load of connections from clients at certain points to test what CGN would be like. Since your not using these pix’s, want to throw some my way ? I’ll pay postage.
TBH 1/4th of the speed isn’t that bad for 30 levels, that is only ~2.5% per NAT level, which in itself seems a lot but really not. Imagine the average home users 15Mbps cable/DSL is now only 14.625Mbps, really no difference in the grand scheme.
Well done on all that! I gather you are a Telstra employee, or at least had access to Telstra IPs? 😀
I have many bad memories of using PIX501’s but I honestly didn’t expect such a small drop across each of them. Big thumbs up to the ‘video production’ and music selection as well 😉
Wait, NAT *adds* latency? My god, you’ve discovered something everyone in the known universe already knows.
For wasting your employer’s time you should be drawn, quarted and then sacked.
Thanks all for the feedback.
Michael – That would of been a good test.
Joshua – No I work @ ANSTO – AS45128 – 137.157.0.0/16 🙂
Legacy – All done out of hours buddy. Can’t get sacked when approved to do so. Latency increase is well known, but could of you calculated the decrease in throughput when having 30 PIX’s? I doubt it, nor did not expect that result.
Awesome, another interesting test could have been UDP vs TCP using something like iperf.
[…] 30 Levels of NAT Firewall Lab | I-​​R-​​Coops Blog – So I am a very large geek, and prod of it. It hurt to walk past a cupÂboard at work knowÂing there was 30+ Cisco PIX 501 fireÂwalls sitÂting in there colÂlectÂing dust. One day it dawned on me, I wonÂder how crap interÂnet would be sitÂting behind 30 of those slow ass god awful to use and conÂfigÂure fireÂwalls. So here are the results: […]
Awesome video guys!
@Thomas what part?
Wow. I’ve seen NAT44 and NAT444, but never NAT4444444444444444444444444444444.
[…] dead end. Layered NAT is even more broken than regular NAT or NAT64 (although it’s possible to do 30 layers of NAT and still have some connectivity). You have also not addressed the IPv4 address exhaustion […]