I have the exactly same

martinezaw · ‎08-08-2012

Hi All,

According to Cisco, an entire FWSM blade (across all contexts) can only support 2048 statics. There are also a finite limit of xlates available (though I don't know that number).

We had a customer that was using a large large amount of statics (for identity nat). We did no nat-control and got rid of them. All seemed well. For our contexts we only allow a certain percentage of usage of the FWSM's resources per context. Now we see this customer hitting up against the xlate resources limit.

Is this coincidence? Does removing the configured statics cause the xlates to increase in some way? I thought the same xlate would happen whether you use a static or not.

Can some please help me understand? I just want to see if there is a correlation between the configured identity nat statics being removed and an increase usage in xlate resources.... or is this unrelated?

Thanks!

Ramraj Sivagnanam Sivajanam · ‎08-16-2012

Hi Bro

Yes, the Cisco FWSM has a fixed system resource limit. As you’ve mentioned, the maximum NAT statements is 2048 divided between all contexts, while the maximum concurrent NAT translations (xlates) is 262,144 divided between all contexts. These figures can be found in http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/specs_f.html#wp1053672

I believe even though you have removed all the “static” commands, you still have a couple of “nat/global” commands, am I right?

Yes, by removing the configured static commands, this does cause the xlates count to increase. For example, as shown below;

static (inside,outside) 202.188.45.10 192.168.1.10 netmask 255.255.255.255

global (outside) 1 202.188.45.3

nat (inside) 1 192.168.1.0 255.255.255.0

In this example, originally, when 192.168.1.10 wants to access a device on the outside segment, the IP Address 192.168.1.10 will be translated to 202.188.45.10. Now, that you’ve removed the static command, when 192.168.1.10 wants to access a device on the outside segment, the IP Address 192.168.1.10 will be translated to 202.188.45.3. That means now, everything in 192.168.1.XXX will translate to 202.188.45.3 when accessing a device on the outside segment.

Perhaps, what you need is to enable the “xlate-bypass” command. By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. You can disable NAT sessions for untranslated network traffic, which is called xlate bypass, in order to avoid the maximum NAT session limit. The xlate-bypass command can be configured as shown:

hostname(config)#xlate-bypass

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

martinezaw · ‎08-21-2012

In my case, we were dealing with identity nats, so natting to itself. Removed a bunch of statics like the one below and was wondering if this would cause xlates to increase and if so why.

static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

We ended up lowering the xlate time out and may also do xlate-bypass.

Anderson Ribeiro · ‎08-11-2016

I have the exactly same problem. I have many cases like:

static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

And arrived the limit:

statics 2048 2048 2048 61 System

If I enable "xlate-bypass", can I delete this lines without problem?

Thank you!

FWSM Resource Issue - Statics vs Xlates - Need Help