Introduction To put it simply, the idle timer in the conn output shows the time     since the last packet. The idle timer in the xlate shows the time     since the last conn. The timeout value in the xlate output begins when the last conn     associated with the xlate is torn down.   Dynamic PAT Example Output: ciscoasa# sh conn | i 23      TCP outside 10.10.10.206:23 inside 192.168.1.100:3130, idle 0:00:37, bytes 173, flags UIO ciscoasa#          sh xlat deb | i 313 TCP PAT from inside:192.168.1.100/3130 to outside:172.18.254.168/30670 flags ri idle 0:02:41 timeout 0:00:30 ciscoasa#   The TCP conn has been idle (no packets received) for 37 seconds. The last TCP conn created sourced from 192.168.1.100/3130 was 2 minutes and 41 seconds ago. The 30 second xlate timeout will begin when the last conn is removed.   Static NAT Example Output: ciscoasa(config)# sh conn | i 23       TCP outside 10.10.10.206:23 inside 192.168.1.150:62470, idle 0:00:05 , bytes 259, flags UIO ciscoasa(config)# sh xlat deb | i 2.150 NAT from inside:192.168.1.150 to outside:172.18.254.252 flags s idle 0:01:37 timeout 0:00:00 ciscoasa(config)#   The TCP conn has been idle (no packets received) for 5 seconds. The last TCP conn created sourced from 192.168.1.100 was 1 minutes and 37 seconds ago. There is no xlate timeout because a static NAT translation is configured.   Dynamic NAT Example Output:   ciscoasa(config)# sh conn | i 1.150    TCP outside 10.10.10.206:23 inside 192.168.1.150:26631, idle 0:00:58 , bytes 175, flags UIO ciscoasa(config)# sh xlat deb | i 1.150 NAT from inside:192.168.1.150 to outside:172.18.254.253 flags i idle 0:01:08 timeout 3:00:00 ciscoasa(config)#     The TCP conn has been idle (no packets received) for 58 seconds. The last TCP conn created sourced from 192.168.1.100 was 1 minutes and 8 seconds ago. The 3 hour xlate timeout will begin when the last conn is removed. ... View more

Question: Why is there both NAT and PAT entries in the xlate table for the same local IP address? This write-up will focus on ASA and ASASM version 8.3 and above. It does NOT focus on similar behavior in version 8.2 or before, or the FWSM. Short Answer: A dynamic NAT global object-group must contain both host-based and range/subnet-based objects. The ASA will first allocate all the range/subnet IP addresses as 1:1 NAT mappings. Next, it will allocate the host IP addresses as N:1 PAT mappings. Finally, after a N:1 PAT xlate is created, a global IP in the 1:1 pool is freed and used. The PAT xlate will not be transitioned when the NAT xlate is built because it would break the connection. Long Answer: The the below xlate output for a single inside IP address. This can be obtained with either the 'show local-host 10.1.1.10' command or the 'show xlate local 10.1.1.10' command. NAT from inside:10.173.64.136 to outside:31.203.253.30 flags i idle 0:00:01 timeout 0:04:00 TCP PAT from inside:10.173.64.136/52093 to outside:212.43.23.243/22824 flags ri idle 0:11:41 timeout 0:00:30 The related NAT configuration is as follows: object network obj- host 1.1.1.1 object network obj- range 2.2.2.1 2.2.2.10 ! object-group network global_outside   network-object object obj-1.1.1.1   network-object object obj-2.2.2.1-2.2.2.10 ! object network obj-10.1.1.10 host 10.1.1.10   nat (inside,outside) dynamic global_outside Note that the "global_outside" object-group contains both host-based objects and range-based objects. Also note that we are using a dynamic Network Object NAT rule. When these are configured together, the range-based objects imply 1:1 NAT, while host-based objects imply N:1 PAT. The NAT engine will prioritize the 1:1 IP address range mappings before allocating any PAT. Once the IP addresses in the range are allocated, PAT will be used to the host-based object in the pool. Keep in mind that existing xlates are checked prior to the NAT rule  table when building new connections. If a matching xlate exists (such as  a 1:1 Dynamic NAT), then the ASA will use that entry for the  translation. If there is no matching xlate built and all the IP ranges  are used up, then the ASA will fallback to PAT. Since PAT mappings are  very specific, in the case of TCP they will generally only exist for the  duration of the TCP session. After the TCP session is torn down, the 30  second idle timer will quickly remove the PAT xlate. Now lets assume that all the IP addresses in all the global pool ranges  are in use. This means that the ASA will need to utilize one of the  host-based objects in the pool for PAT. That PAT xlate will remain up  until that connection is removed. However, if an IP address in the  global 1:1 pool becomes available, the ASA will use that for the next  connection and all new connections until it times out. When this xlate  is built, the ASA cannot retroactively move the existing PAT xlates to  the new 1:1 mapping. This would break the connection. So instead, the  old conn and xlate must endure until completion. Here is an example series of events. Assume all connections are from Inside to Outside. 1) ASA receives a new SYN packet building a conn:   10.1.1.10/12345 to 3.3.3.3/80 2) Check for existing xlate fails, no matching xlate in the table. The ASA must build a new xlate for this connection. 3) The matching NAT rule contains both IP host objects and range objects (see above config) 4) NAT engine checks nat pool ranges for available 1:1 dynamic mapping... Fails. 5) NAT engine checks nat pool hosts for available N:1 dynamic mapping... Success! A dynamic PAT xlate is built for this connection. Ex:    TCP PAT from inside:10.1.1.10/12345 to outside:1.1.1.1/12345 flags ri idle 0:11:41 timeout 0:00:30 6) ASA receives a new SYN packet building a conn:   10.1.1.10/12345 to 4.4.4.4/80 7) Check for existing xlate fails, no matching xlate in the table. The ASA must build a new xlate for this connection. 8) This time, the NAT engine checks nat pool ranges for available 1:1 dynamic mapping... Success! A dynamic 1:1 NAT xlate is built. Ex:   NAT from inside:10.1.1.10 to outside:2.2.2.7 flags i idle 0:00:01 timeout 0:04:00 Final 'show local 10.1.1.10' output:    Xlate:      NAT from inside:10.1.1.10 to outside:2.2.2.7 flags i idle 0:00:01 timeout 1:00:00      TCP PAT from inside:10.1.1.10/12345 to outside:1.1.1.1/12345 flags ri idle 0:11:41 timeout 0:00:30    Conn:      TCP outside 3.3.3.3/80 inside 10.1.1.10/12345, idle 0:00:01, bytes 103587, flags UIO      TCP outside 4.4.4.4/80 inside 10.1.1.10/12345, idle 0:05:53, bytes 9937, flags UIO ... View more

Introduction This is a basic configuration example of Transparent Mode configuration on an ASA 5505. This configuration is only valid in version 8.4 and later since it utilizes bridge-groups. Configuration Example interface Ethernet0/0   switchport access vlan 10 ! interface Ethernet0/1   switchport access vlan 20 ! interface Vlan10   nameif outside   bridge-group 1   security-level 0 ! interface Vlan20   nameif inside   bridge-group 1   security-level 100 ! interface BVI1   ip address 10.10.10.10 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 10.10.10.1 route inside 192.168.1.0 255.255.255.0 10.10.10.254 ! http 0.0.0.0 0.0.0.0 inside Notes In order to enable ASDM access, the http command must be configured for a named interface. In the example above, access has been enabled for all IP addresses on the inside interface. Routing is important in transparent mode to ensure inspection functionality. Many of the ASA's inspections rely on the routing table. In this example, there is a default route configured outside and a route to the 192.168.1.0/24 subnet configured inside. ... View more