cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16958
Views
5
Helpful
1
Replies

xlate per-session on ASA 9.1(3)

Marcelo Miranda
Level 1
Level 1

Hi everyone,

When upgrading firewalls from 8.2(5) to 9.1(3)2 we noticed the following "xlate per-session" commands were included:

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

I understand those lines make our PATs multi-session, however configuration guide (http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_overview.html#pgfId-1094168)  says the default was to have "xlate per-session permit":

"By default, all TCP traffic and UDP DNS traffic use a per-session PAT xlate. For traffic that can benefit from multi-session PAT, such as H.323, SIP, or Skinny, you can disable per-session PAT be creating a per-session deny rule. See the “Configuring Per-Session PAT Rules” section on page 33-16 . "

 

I have all customer traffic working now, but PAT pool is getting exhausted more frequently. I am concerned if we enable per-session,  that can  break customer applications that we are not aware of.  

So the question is : what was the default on 8.2(5) - per-session or multi-session?

If anyone experienced issues with per-session PAT, I'd be grateful if that can be shared.

 

Thank you

1 Reply 1

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

This command is now being enabled is a default behavior on the 9.x code.

So , this means that each xlate will be cleared on the basis of the related connection being cleared.

I think you can enable the per session to check if that resolves the issue with the pool exhaustion.

"show nat pool" would also be useful to verify the issue for you.

Thanks and Regards,

Vibhor Amrodia

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: