cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
597
Views
2
Helpful
10
Replies

ASA performance test using iperf3 - NAT problem

I tested the ASA 5520 iperf3 to check its performance. I then wanted to add NAT to it to find out how much it was taxing the device. However, I kept having the problem that almost all traffic was untranslated.
krzysztofmaciejewskiit_0-1725982052479.png

The created objects are the same, i.e. 192.168.0.0/24, because the server address is 192.168.60.13 and the client address is 192.168.1.2. 
How should I configure NAT on the ASA to test the impact of NAT?

1 Accepted Solution

Accepted Solutions

Hello @krzysztofmaciejewskiit ,

>> Without NAT the results are almost identical, I would expect a greater impact of NAT

an ASA firewall works by using  NAT by default so I think it is normal what you see in your tests.

The results are different for a software based IOS XE router where we can expect some reduction in performance caused by NAT.

Hope to help

Giuseppe

 

View solution in original post

10 Replies 10

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @krzysztofmaciejewskiit ,

what kind of operating system is running on your ASA ?

it is classic ASA software or FTD ?

post output of 

show version

and

show run | inc nat

 

Hope to help

Giuseppe

It is an ASA 5520 (software 9.1.(7)29 - old but for lab only).

interfaces:
krzysztofmaciejewskiit_0-1726043920986.png
krzysztofmaciejewskiit_8-1726044207001.png

object:
krzysztofmaciejewskiit_1-1726043956987.png

NAT:
krzysztofmaciejewskiit_3-1726044001589.png
krzysztofmaciejewskiit_4-1726044051199.png

 

xlate:
krzysztofmaciejewskiit_5-1726044071530.png

iperf3 server:
krzysztofmaciejewskiit_6-1726044099232.png

iperf3 client:
krzysztofmaciejewskiit_7-1726044125431.png

Without NAT the results are almost identical, I would expect a greater impact of NAT. I am also concerned about the untranslated entries. The server is in the inside zone and the client is in the iperf zone.

I dont think there is noticeable delay because of single NAT in ASA so with and without NAT there is no difference.

For un-translate if the direction of NAT from from ipref to inside and traffic initiate from ipref then translate count increases if the traffic initiate from inside then un-translate count increases

It normal 

But I dont know why you use dynamic you need to run static NAT

MHM

Thanks for the answer.
Why should I use static NAT in this case?

After changing to static NAT, I noticed two things.
To begin with: translate_hits = 0, untranslate_hits = 0.

iperf3 -c 192.168.60.13 -P 100
Hundred streams of iperf3 (translate_hits = 101 (+101), untranslate_hits = 0):
krzysztofmaciejewskiit_1-1726050737885.png

iperf3 -c 192.168.60.13
One iperf3 stream (translate_hits = 103 (+2), untranslate_hits = 74 (+74)):
krzysztofmaciejewskiit_3-1726050822141.png

The client in the iperf zone initiates a connection to the server in the inside zone.

And hence you see translate and retrun traffic is also hit NAT and you see un-translate 

And that normal NAT look like in ASA.

MHM

I don't quite understand.
This command: iperf3 -c 192.168.60.13 -P 100 only affects the fact that we create 100 streams, after its execution I have 101 translated hits (I assume that the 1 is some kind of initiation).

However, when I execute this command: iperf3 -c 192.168.60.13 (which is one stream of the one above it only adds us two translated hits (which is probably iperf3 test + initiation) and as many as 74 untranslated hits. Why when I play 100 streams I don't have any untranslated hits. It is, after all, in theory the same command, only instead of one stream there is only one.

can you share the wireshark of both traffic 

MHM

Both traffic, that is, you mean from the zone iperf and inside? Or 1 stream from zone iperf and 100 streams from zone iperf?

Because unfortunately I made Wireshark from zone iperf for 1 and 100 streams, but the files are too big and I am not able to upload them.

No need friend' I will try run lab and check one point in my mind' 

Update you later

MHM

Hello @krzysztofmaciejewskiit ,

>> Without NAT the results are almost identical, I would expect a greater impact of NAT

an ASA firewall works by using  NAT by default so I think it is normal what you see in your tests.

The results are different for a software based IOS XE router where we can expect some reduction in performance caused by NAT.

Hope to help

Giuseppe

 

Review Cisco Networking for a $25 gift card