Introduction
To put it simply, the idle timer in the conn output shows the time since the last packet. The idle timer in the xlate shows the time since the last conn.
The timeout value in the xlate output begins when the last conn associated with the xlate is torn down.
Dynamic PAT Example Output:
ciscoasa# sh conn | i 23
TCP outside 10.10.10.206:23 inside 192.168.1.100:3130, idle 0:00:37, bytes 173, flags UIO
ciscoasa# sh xlat deb | i 313
TCP PAT from inside:192.168.1.100/3130 to outside:172.18.254.168/30670 flags ri idle 0:02:41 timeout 0:00:30
ciscoasa#
- The TCP conn has been idle (no packets received) for 37 seconds.
- The last TCP conn created sourced from 192.168.1.100/3130 was 2 minutes and 41 seconds ago.
- The 30 second xlate timeout will begin when the last conn is removed.
Static NAT Example Output:
ciscoasa(config)# sh conn | i 23
TCP outside 10.10.10.206:23 inside 192.168.1.150:62470, idle 0:00:05, bytes 259, flags UIO
ciscoasa(config)# sh xlat deb | i 2.150
NAT from inside:192.168.1.150 to outside:172.18.254.252 flags s idle 0:01:37 timeout 0:00:00
ciscoasa(config)#
- The TCP conn has been idle (no packets received) for 5 seconds.
- The last TCP conn created sourced from 192.168.1.100 was 1 minutes and 37 seconds ago.
- There is no xlate timeout because a static NAT translation is configured.
Dynamic NAT Example Output:
ciscoasa(config)# sh conn | i 1.150
TCP outside 10.10.10.206:23 inside 192.168.1.150:26631, idle 0:00:58, bytes 175, flags UIO
ciscoasa(config)# sh xlat deb | i 1.150
NAT from inside:192.168.1.150 to outside:172.18.254.253 flags i idle 0:01:08 timeout 3:00:00
ciscoasa(config)#
- The TCP conn has been idle (no packets received) for 58 seconds.
- The last TCP conn created sourced from 192.168.1.100 was 1 minutes and 8 seconds ago.
- The 3 hour xlate timeout will begin when the last conn is removed.
