We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 637 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

 

367 New Members signed up the last 30 days!

satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,


Forum Replies

  1. Hi John,

    With multi-session PAT you can have about 2000 connections using one IP address for PAT, this is because of the 30 second timeout. With per session PAT we don’t have this timeout so we can have a lot more connections using the same public IP address.

    Rene

  2. Hi
    I am running ASAv version 9.6.
    when I run the command “show run | in xlate per-session”, the output is showing all deny rules. But in your output it is showing all permit. Any idea why I am seeing all deny

    ASAv# show run | include xlate per-session
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain

  3. Hmm I think it depends on your platform and/or ASA version. Here’s a 5506 running ASA 9.5 with a fresh config:

    ASA# show running-config all | include xlate
    xlate per-session permit tcp any4 any4
    xlate per-session permit tcp any4 any6
    xlate per-session permit tcp any6 any4
    xlate per-session permit tcp any6 any6
    xlate per-session permit udp any4 any4 eq domain
    xlate per-session permit udp any4 any6 eq domain
    xlate per-session permit udp any6 any4 eq domain
    xlate per-session permit udp any6 any6 eq domain
    

    Per-session is enabled by default. With your deny statemen

    ... Continue reading in our forum

  4. Hello Chris

    Multi-session PAT is the default configuration within an ASA device. Any PAT translations that exist are kept open for 30 seconds before being flushed out. The reason for this is that it takes CPU power and resources to tear down and to reinitialize a PAT translation, so if a session that has ended restarts sending using the same translation and ports within those 30 seconds, there is no need to re-establish the connection, the translation already exists.

    Per-session PAT is an improvement to this default because it quickly frees up translated port

    ... Continue reading in our forum

5 more replies! Ask a question or join the discussion by visiting our Community Forum