Cisco ASA Per-Session vs Multi-Session PAT

Since ASA version 9.x, there have been some changes to PAT (Port Address Translation). We now have two types of PAT:

  • Per-Session PAT
  • Multi-Session PAT

When a PAT session ends, we have two options:

  • Per-Session PAT removes the translation entry immediately.
  • Multi-Session PAT will wait for 30 seconds (default timeout) before removing the translation entry.

Cisco recommends using Per-Session PAT for hit-and-run traffic like HTTP or HTTPS so you can avoid having a lot of translation entries that are waiting for the 30-second timeout to expire. You shouldn’t use it for real-time traffic like VoIP.

The reason to use Per-Session PAT is scalability…without it, the connection rate is about 2000 per second. If you enable it, the connection rate is about 65535 / average lifetime.

The ASA firewall will use per-session PAT by default. You can find the following rules in the configuration:

ASA1# show run | include xlate per-session
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain

As you can see, Per-Session PAT is enabled for all TCP and UDP traffic.

Something to keep in mind is that since ASA version 9.x, the keyword any means IPv4 + IPv6 traffic. If you want to match IPv4 traffic you should use any4 and for IPv6 you need to use any6.

Configuration

We will take a look to see how this works on a real ASA firewall. I’ll use the following topology to demonstrate this:

ASA1 Inside Outside

Per-Session PAT

We will use R1 and R2 as hosts so that we can generate some traffic. The ASA has the following basic configuration:

ASA1(config)# interface e0/0
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0

ASA1(config)# interface e0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0

ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic interface

We use two interfaces and PAT for traffic from the inside headed towards the outside. To see how the ASA firewall deals with our PAT translations, we can enable a debug:

ASA1# debug nat 255
debug nat  enabled at level 255

Now I’ll telnet from R1 to R2 to generate some traffic:

R1#telnet 192.168.2.2
Trying 192.168.2.2 ... Open

User Access Verification

Password:
R2>

You will see the following debug message on the ASA:

ASA1# nat: locking pool range 192.168.2.254-192.168.2.254, refcnt 0
nat: policy lock 0x0xad8826e8, old count is 1
nat: translation - INSIDE:192.168.1.1/48016 to OUTSIDE:192.168.2.254/48016 (xp:0xab2b3980, policy:0xad8826e8)

It translated our traffic between R1 and R2. We can also verify this with the show xlate command:

ASA1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from INSIDE:192.168.1.1/48016 to OUTSIDE:192.168.2.254/48016 flags ri idle 0:00:50 timeout 0:00:30

Now let’s kill the telnet session:

R2>exit

[Connection to 192.168.2.2 closed by foreign host]

As soon as I close the telnet session, you will see this debug message on the ASA:

ASA1# nat: policy unlock 0x0xad8826e8, old count is 2
nat: unlocking pool range 192.168.2.254-192.168.2.254, refcnt 1

It removes the translation entry right away. We can also confirm this with the show xlate command:

ASA1# show xlate
0 in use, 1 most used

So that’s how Per-Session PAT works…the translation was removed immediately after I closed the TCP session.

Multi-Session PAT

Now, let’s try Multi-Session PAT, shall we? We’ll keep it simple, so I will remove the entry that enables Per-Session PAT for all TCP traffic and then enable Multi-Session PAT:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now!

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 800 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
527 Sign Ups in the last 30 days
satisfaction-guaranteed

  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Tags: , ,


Forum Replies

  1. what do you mean by “the connection rate” ? the connection rate is about 2000 per second

  2. Hi John,

    With multi-session PAT you can have about 2000 connections using one IP address for PAT, this is because of the 30 second timeout. With per session PAT we don’t have this timeout so we can have a lot more connections using the same public IP address.

    Rene

  3. Is there any reason why you would use multi-session PAT rather than Per-Session PAT, or vice versa?

  4. Never mind, I found it in your article.

  5. Hi
    I am running ASAv version 9.6.
    when I run the command “show run | in xlate per-session”, the output is showing all deny rules. But in your output it is showing all permit. Any idea why I am seeing all deny

    ASAv# show run | include xlate per-session
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain

9 more replies! Ask a question or join the discussion by visiting our Community Forum