Since ASA version 9.x, there have been some changes to PAT (Port Address Translation). We now have two types of PAT:
- Per-Session PAT
- Multi-Session PAT
When a PAT session ends, we have two options:
- Per-Session PAT removes the translation entry immediately.
- Multi-Session PAT will wait for 30 seconds (default timeout) before removing the translation entry.
Cisco recommends using Per-Session PAT for hit-and-run traffic like HTTP or HTTPS so you can avoid having a lot of translation entries that are waiting for the 30-second timeout to expire. You shouldn’t use it for real-time traffic like VoIP.
The reason to use Per-Session PAT is scalability…without it, the connection rate is about 2000 per second. If you enable it, the connection rate is about 65535 / average lifetime.
The ASA firewall will use per-session PAT by default. You can find the following rules in the configuration:
ASA1# show run | include xlate per-session xlate per-session permit tcp any4 any4 xlate per-session permit tcp any4 any6 xlate per-session permit tcp any6 any4 xlate per-session permit tcp any6 any6 xlate per-session permit udp any4 any4 eq domain xlate per-session permit udp any4 any6 eq domain xlate per-session permit udp any6 any4 eq domain xlate per-session permit udp any6 any6 eq domain
As you can see, Per-Session PAT is enabled for all TCP and UDP traffic.
anymeans IPv4 + IPv6 traffic. If you want to match IPv4 traffic you should use
any4and for IPv6 you need to use
We will take a look to see how this works on a real ASA firewall. I’ll use the following topology to demonstrate this:
We will use R1 and R2 as hosts so that we can generate some traffic. The ASA has the following basic configuration:
ASA1(config)# interface e0/0 ASA1(config-if)# nameif INSIDE ASA1(config-if)# ip address 192.168.1.254 255.255.255.0 ASA1(config)# interface e0/1 ASA1(config-if)# nameif OUTSIDE ASA1(config-if)# ip address 192.168.2.254 255.255.255.0 ASA1(config)# object network INSIDE ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0 ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic interface
We use two interfaces and PAT for traffic from the inside headed towards the outside. To see how the ASA firewall deals with our PAT translations, we can enable a debug:
ASA1# debug nat 255 debug nat enabled at level 255
Now I’ll telnet from R1 to R2 to generate some traffic:
R1#telnet 192.168.2.2 Trying 192.168.2.2 ... Open User Access Verification Password: R2>
You will see the following debug message on the ASA:
ASA1# nat: locking pool range 192.168.2.254-192.168.2.254, refcnt 0 nat: policy lock 0x0xad8826e8, old count is 1 nat: translation - INSIDE:192.168.1.1/48016 to OUTSIDE:192.168.2.254/48016 (xp:0xab2b3980, policy:0xad8826e8)
It translated our traffic between R1 and R2. We can also verify this with the
show xlate command:
ASA1# show xlate 1 in use, 1 most used Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net TCP PAT from INSIDE:192.168.1.1/48016 to OUTSIDE:192.168.2.254/48016 flags ri idle 0:00:50 timeout 0:00:30
Now let’s kill the telnet session:
R2>exit [Connection to 192.168.2.2 closed by foreign host]
As soon as I close the telnet session, you will see this debug message on the ASA:
ASA1# nat: policy unlock 0x0xad8826e8, old count is 2 nat: unlocking pool range 192.168.2.254-192.168.2.254, refcnt 1
It removes the translation entry right away. We can also confirm this with the
show xlate command:
ASA1# show xlate 0 in use, 1 most used
So that’s how Per-Session PAT works…the translation was removed immediately after I closed the TCP session.
Now, let’s try Multi-Session PAT, shall we? We’ll keep it simple, so I will remove the entry that enables Per-Session PAT for all TCP traffic and then enable Multi-Session PAT: