09-10-2024 08:30 AM
I tested the ASA 5520 iperf3 to check its performance. I then wanted to add NAT to it to find out how much it was taxing the device. However, I kept having the problem that almost all traffic was untranslated.
The created objects are the same, i.e. 192.168.0.0/24, because the server address is 192.168.60.13 and the client address is 192.168.1.2.
How should I configure NAT on the ASA to test the impact of NAT?
09-10-2024 02:16 PM
Hello @krzysztofmaciejewskiit ,
what kind of operating system is running on your ASA ?
it is classic ASA software or FTD ?
post output of
show version
and
show run | inc nat
Hope to help
Giuseppe
09-11-2024 01:46 AM
It is an ASA 5520 (software 9.1.(7)29 - old but for lab only).
interfaces:
object:
NAT:
xlate:
iperf3 server:
iperf3 client:
Without NAT the results are almost identical, I would expect a greater impact of NAT. I am also concerned about the untranslated entries. The server is in the inside zone and the client is in the iperf zone.
09-11-2024 01:52 AM
I dont think there is noticeable delay because of single NAT in ASA so with and without NAT there is no difference.
For un-translate if the direction of NAT from from ipref to inside and traffic initiate from ipref then translate count increases if the traffic initiate from inside then un-translate count increases
It normal
But I dont know why you use dynamic you need to run static NAT
MHM
09-11-2024 03:40 AM
Thanks for the answer.
Why should I use static NAT in this case?
After changing to static NAT, I noticed two things.
To begin with: translate_hits = 0, untranslate_hits = 0.
iperf3 -c 192.168.60.13 -P 100
Hundred streams of iperf3 (translate_hits = 101 (+101), untranslate_hits = 0):
iperf3 -c 192.168.60.13
One iperf3 stream (translate_hits = 103 (+2), untranslate_hits = 74 (+74)):
The client in the iperf zone initiates a connection to the server in the inside zone.
09-11-2024 03:58 AM
And hence you see translate and retrun traffic is also hit NAT and you see un-translate
And that normal NAT look like in ASA.
MHM
09-11-2024 06:09 AM
I don't quite understand.
This command: iperf3 -c 192.168.60.13 -P 100 only affects the fact that we create 100 streams, after its execution I have 101 translated hits (I assume that the 1 is some kind of initiation).
However, when I execute this command: iperf3 -c 192.168.60.13 (which is one stream of the one above it only adds us two translated hits (which is probably iperf3 test + initiation) and as many as 74 untranslated hits. Why when I play 100 streams I don't have any untranslated hits. It is, after all, in theory the same command, only instead of one stream there is only one.
09-11-2024 07:02 AM
can you share the wireshark of both traffic
MHM
09-20-2024 02:12 PM
Both traffic, that is, you mean from the zone iperf and inside? Or 1 stream from zone iperf and 100 streams from zone iperf?
Because unfortunately I made Wireshark from zone iperf for 1 and 100 streams, but the files are too big and I am not able to upload them.
09-21-2024 03:20 AM
No need friend' I will try run lab and check one point in my mind'
Update you later
MHM
09-11-2024 03:50 AM
Hello @krzysztofmaciejewskiit ,
>> Without NAT the results are almost identical, I would expect a greater impact of NAT
an ASA firewall works by using NAT by default so I think it is normal what you see in your tests.
The results are different for a software based IOS XE router where we can expect some reduction in performance caused by NAT.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide