cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


2456
Views
29
Helpful
5
Replies

Multi-Session/Per-Session PAT

Hello,

Multi-Session/Per-Session PAT: I don't quite get the difference between those. Where is the technical difference? I read config-guide and command-reference, but the explanation is not clear enough for me. It only lists advantages and disadvantages, but not the actual difference. What's a session considered in this case? I understand that Per-session scales better because of decreased timeouts and the possibility to cluster. But why is this not possible in Multi-Session mode? And why are there protocols who "profit" from Multi-session PAT, such as H.323, SIP, or Skinny?

Thanks for any explanation.

Florian

5 REPLIES 5

Multi-Session/Per-Session PAT

Hello Florian,

Withe Per-Session PAT at soon as the connection being used is terminated the ASA will remove the XLATE, no more

TIME_WAIT state. Does not use the PAT timeout

With Multi-session we will need to wait after the connecting is terminated the PAT timeout (30 seconds), so basically uses the PAT timeout.

So huge improvement on the network with Per-Session PAT,

Is it clear now?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Multi-Session/Per-Session PAT

Hello jcarvaja,

sorry not really. Or is this the only technical difference between the two methods?

I try to guess: Does per-session PAT mean, that each TCP-connection (even if it comes from the same initiating host) will potentially be PATed to different IP in the PAT-Pool? While multi-session PAT makes sure that the initiating host will always be PATed to the same IP in the pool?

Florian

Highlighted

Multi-Session/Per-Session PAT

Hello Florian,

We are talking about how we use the ASA resources,

You are doing PAT with a single IP address,

With multi-session PAT when a host connects to an HTTP servers, perform the required transactions and closes the connection; the ASA will hold that Port used on the PAT for 30 seconds . The XLATE timeoute

With per-session as soon as the connection is closed the port can be used .

It's all about the scalability of PAT, that's all.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Multi-Session/Per-Session PAT

OK Julio, thank you for this explanation. So it seems that only technical difference is the way of how termination of the PAT-sessions is done.

Do you have an idea why only per-session PAT is supported in an ASA cluster? I suspect it might be something to do with synchronisation of states between the cluster-members.

I'm also wondering why certain protocols (SIP, H.323 etc) are having problems with the per-session PAT mode. According to documentation, it's these protocols which might need to have exception-rules implemented to work correctly (so that these connections are still handled with multi-session PAT, while all other use per-sesion PAT).

greetings

Multi-Session/Per-Session PAT

Hello Florian,

I guess you are right with the cluster one,

I'm also wondering why certain protocols (SIP, H.323 etc) are having problems with the per-session PAT mode.

That would be because of how those protocols work, they will exchange keep alives to maintain the session up but at the same time the devices will use that same connection to exchange the audio/video so it will never need to be closed,

That's my point of view

Regards

Hey remember to rate all of the helpful posts, as important as a thanks

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC