30 Levels of NAT Firewall Lab

Saturday, April 16, 2011

So I am a very large geek, and proud of it. It hurt to walk past a cupboard at work knowing there was 30+ Cisco PIX 501 firewalls sitting in there collecting dust. One day it dawned on me, I wonder how crap internet would be sitting behind 30 of those slow ass god awful to use and configure firewalls. So here are the results:

Network Diagram

(Click for larger image)

Sample PIX 501 conf:

hostname fwX
password cisco
enable password cisco
domain-name cooperlees.com

ip address inside 10.N.0.1
ip address outside 10.N1.0.2
interface ethernet0 auto
interface ethernet1 100full

route outside 0 0 10.N1.0.1
nat (inside) 1 10.N.0.0
global (outside) 1 interface

access-list outbound permit any any
access-group outbound in interface inside

access-list ping_acl permit icmp any any
access-group ping_acl in interface outside

Video of the Results

[youtube https://www.youtube.com/watch?v=BrlwzZZp8tM&w=640&h=390]

Thanks to Jason Leschnik, Anthony Noonan, Kyle Seton and Chris Steven for their assistance.


  1. Alex says:

    I think the 12Mbps you saw was a result of the PIX’s CPU speed, since each packet needs to have its source or destination address edited while traversing the NAT table. You could also calculate the NAT latency as (47ms – 9ms (control) ) 30(number of nats).

    If you want it to really go to shit, try applying an inspect policy on those PIX’s!

    Great post.

  2. David Martin says:

    Love it! What happened @ 31? Or did you run out of PIX’s?

  3. I didn’t expect that to go so well. I would have liked to see a bucket load of connections from clients at certain points to test what CGN would be like. Since your not using these pix’s, want to throw some my way ? I’ll pay postage.

  4. Joshua D'Alton says:

    TBH 1/4th of the speed isn’t that bad for 30 levels, that is only ~2.5% per NAT level, which in itself seems a lot but really not. Imagine the average home users 15Mbps cable/DSL is now only 14.625Mbps, really no difference in the grand scheme.

    Well done on all that! I gather you are a Telstra employee, or at least had access to Telstra IPs? 😀

  5. GTRoberts says:

    I have many bad memories of using PIX501’s but I honestly didn’t expect such a small drop across each of them. Big thumbs up to the ‘video production’ and music selection as well 😉

  6. Legacy says:

    Wait, NAT *adds* latency? My god, you’ve discovered something everyone in the known universe already knows.

    For wasting your employer’s time you should be drawn, quarted and then sacked.

  7. cooper says:

    Thanks all for the feedback.

    Michael – That would of been a good test.

    Joshua – No I work @ ANSTO – AS45128 – 🙂

    Legacy – All done out of hours buddy. Can’t get sacked when approved to do so. Latency increase is well known, but could of you calculated the decrease in throughput when having 30 PIX’s? I doubt it, nor did not expect that result.

  8. JL says:

    Awesome, another interesting test could have been UDP vs TCP using something like iperf.

  9. Graham Brown says:

    Awesome video guys!

  10. Joshua D'Alton says:

    @Thomas what part?

  11. Phil says:

    Wow. I’ve seen NAT44 and NAT444, but never NAT4444444444444444444444444444444.

Leave a Reply

Pingbacks & Trackbacks

  1. Internets of Interest:21 Apr 11 - Pingback on 2011/04/22
  2. NAT64: it’s all about the legacy content | David's CCIE Blog - Pingback on 2012/08/01