Regarding Xlate info in ASA

venkatappan · ‎11-10-2025

generally , in one static 1 to 1 NAT the output of show xlate shows as below right .

ham-vpn-fw/ham-vpn-fw# sh xlate | in 172.20.164.139

NAT from outside:10.90.0.18 to cbtsmgmt:172.20.164.139

ham-vpn-fw/ham-vpn-fw#

but in one of my case showing as belwo:

ham-vpn-fw/ham-vpn-fw-of2# sh xlate | in 172.22.201.6
    10.27.18.56, 10.57.14.129, 10.27.14.18 to cbtsmgmt:172.22.201.1, 172.22.201.2, 172.22.201.3, 172.22.201.4, 172.22.201.5, 172.22.201.6
    10.27.17.4 to cbtsmgmt:172.22.201.65, 172.22.201.66,
    172.22.201.67, 172.22.201.68
ham-vpn-fw/ham-vpn-fw-of2#

What is difference between of them ?

Ben Weber · ‎11-11-2025

The NAT configuration on ham-vpn-fw-of2 appears to have been done using a range of network objects.

The first set of external IPs are non-contiguous and map to a higher number of internal IPs than external IPs. If you do not configure this, it would be worth understanding the reasoning behind this design as it is not immediately obvious from the snippet.

The second NAT translation on ham-vpn-fw-of2 is a one-to-many static NAT configuration.

If there are no particular design requirements forcing either of these NAT configurations, it would be highly recommended to transition to dynamic NAT overload (aka PAT) as it is much easier to maintain for generic use cases.

- BW
Please rate posts if they have been helpful.