30 Levels of NAT Firewall Lab

So I am a very large geek, and proud of it. It hurt to walk past a cupboard at work knowing there was 30+ Cisco PIX 501 firewalls sitting in there collecting dust. One day it dawned on me, I wonder how crap internet would be sitting behind 30 of those slow ass god awful to use and configure firewalls. So here are the results:

Network Diagram

(Click for larger image)

Sample PIX 501 conf:

[plain]
hostname fwX
password cisco
enable password cisco
domain-name cooperlees.com

ip address inside 10.N.0.1 255.255.255.0
ip address outside 10.N1.0.2 255.255.255.0
interface ethernet0 auto
interface ethernet1 100full

route outside 0 0 10.N1.0.1
nat (inside) 1 10.N.0.0 255.255.255.0
global (outside) 1 interface

access-list outbound permit any any
access-group outbound in interface inside

access-list ping_acl permit icmp any any
access-group ping_acl in interface outside
[/plain]

Video of the Results

[youtube https://www.youtube.com/watch?v=BrlwzZZp8tM&w=640&h=390]

Thanks to Jason Leschnik, Anthony Noonan, Kyle Seton and Chris Steven for their assistance.

Related Posts

Stop IPv4 Point-To-Point Addressing your Networks

IPv4 addressing on links is no longer required to route IPv4. What you say?? Yes, you can stop IPv4 addressing your point to point links with Legacy…

NAT64: Using `jool` on Ubuntu 20.04

I found that jool has very good tutorials, but all the commands to get going are hidden in these large tutorials. Here are the steps I took…

Raspberry Pi Powered Fireplace

Mr Aijay Adams and I am back making my Fireplace Internet / Smart device controllable. Now, via a very sexy Web UI, when I’m heading back to…

nftables

Are you using the latest Linux kernel firewall?. Here are some notes I’ve saved that I use and forget all the time. I plan to add to…

RPM vs OPKG Cheat Sheet

Recently in the Terragraph project I work on we changed from RPM to OPKG to removes some dependencies (e.g. perl) and make our overall image size smaller….

Ansible + Handy PyPI CLI Tools

I often use a lot of PyPI CLI tools. Here is an example of how to get them easily installed and kept up to date via Ansible…

This Post Has 13 Comments

  1. I think the 12Mbps you saw was a result of the PIX’s CPU speed, since each packet needs to have its source or destination address edited while traversing the NAT table. You could also calculate the NAT latency as (47ms – 9ms (control) ) 30(number of nats).

    If you want it to really go to shit, try applying an inspect policy on those PIX’s!

    Great post.

  2. I didn’t expect that to go so well. I would have liked to see a bucket load of connections from clients at certain points to test what CGN would be like. Since your not using these pix’s, want to throw some my way ? I’ll pay postage.

  3. TBH 1/4th of the speed isn’t that bad for 30 levels, that is only ~2.5% per NAT level, which in itself seems a lot but really not. Imagine the average home users 15Mbps cable/DSL is now only 14.625Mbps, really no difference in the grand scheme.

    Well done on all that! I gather you are a Telstra employee, or at least had access to Telstra IPs? 😀

  4. I have many bad memories of using PIX501’s but I honestly didn’t expect such a small drop across each of them. Big thumbs up to the ‘video production’ and music selection as well 😉

  5. Wait, NAT *adds* latency? My god, you’ve discovered something everyone in the known universe already knows.

    For wasting your employer’s time you should be drawn, quarted and then sacked.

  6. Thanks all for the feedback.

    Michael – That would of been a good test.

    Joshua – No I work @ ANSTO – AS45128 – 137.157.0.0/16 🙂

    Legacy – All done out of hours buddy. Can’t get sacked when approved to do so. Latency increase is well known, but could of you calculated the decrease in throughput when having 30 PIX’s? I doubt it, nor did not expect that result.

Leave a Reply

Your email address will not be published.