30 Levels of NAT Firewall Lab

So I am a very large geek, and proud of it. It hurt to walk past a cupboard at work knowing there was 30+ Cisco PIX 501 firewalls sitting in there collecting dust. One day it dawned on me, I wonder how crap internet would be sitting behind 30 of those slow ass god awful to use and configure firewalls. So here are the results:

Network Diagram

(Click for larger image)

Sample PIX 501 conf:

[plain]
hostname fwX
password cisco
enable password cisco
domain-name cooperlees.com

ip address inside 10.N.0.1 255.255.255.0
ip address outside 10.N1.0.2 255.255.255.0
interface ethernet0 auto
interface ethernet1 100full

route outside 0 0 10.N1.0.1
nat (inside) 1 10.N.0.0 255.255.255.0
global (outside) 1 interface

access-list outbound permit any any
access-group outbound in interface inside

access-list ping_acl permit icmp any any
access-group ping_acl in interface outside
[/plain]

Video of the Results

Thanks to Jason Leschnik, Anthony Noonan, Kyle Seton and Chris Steven for their assistance.

13 thoughts on “30 Levels of NAT Firewall Lab”

  1. I think the 12Mbps you saw was a result of the PIX’s CPU speed, since each packet needs to have its source or destination address edited while traversing the NAT table. You could also calculate the NAT latency as (47ms – 9ms (control) ) 30(number of nats).

    If you want it to really go to shit, try applying an inspect policy on those PIX’s!

    Great post.

    Like

  2. I didn’t expect that to go so well. I would have liked to see a bucket load of connections from clients at certain points to test what CGN would be like. Since your not using these pix’s, want to throw some my way ? I’ll pay postage.

    Like

  3. TBH 1/4th of the speed isn’t that bad for 30 levels, that is only ~2.5% per NAT level, which in itself seems a lot but really not. Imagine the average home users 15Mbps cable/DSL is now only 14.625Mbps, really no difference in the grand scheme.

    Well done on all that! I gather you are a Telstra employee, or at least had access to Telstra IPs? 😀

    Like

  4. I have many bad memories of using PIX501’s but I honestly didn’t expect such a small drop across each of them. Big thumbs up to the ‘video production’ and music selection as well 😉

    Like

  5. Wait, NAT *adds* latency? My god, you’ve discovered something everyone in the known universe already knows.

    For wasting your employer’s time you should be drawn, quarted and then sacked.

    Like

  6. Thanks all for the feedback.

    Michael – That would of been a good test.

    Joshua – No I work @ ANSTO – AS45128 – 137.157.0.0/16 🙂

    Legacy – All done out of hours buddy. Can’t get sacked when approved to do so. Latency increase is well known, but could of you calculated the decrease in throughput when having 30 PIX’s? I doubt it, nor did not expect that result.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s