Since ASA version 9.x there are some changes to PAT (Port Address Translation). We now have two types of PAT:
- Per-Session PAT
- Multi-Session PAT
When a PAT session ends we have two options:
- Per-Session PAT removes the translation entry immediately.
- Multi-Session PAT will wait for 30 seconds (default timeout) before removing the translation entry.
Cisco recommends to use Per-Session PAT for hit-and-run traffic like HTTP or HTTPS so you can avoid having a lot of translations entries that are waiting for the 30 second timeout to expire. You shouldn’t use it for realtime traffic like VoIP.
The reason to use Per-Session PAT is scalability…without it, the connection rate is about 2000 per second. If you enable it, the connection rate is about 65535 / average lifetime.
The ASA firewall will use per-session PAT by default. You can find the following rules in the configuration:
ASA1# show run | include xlate per-session
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain
As you can see, Per-Session PAT is enabled for all TCP and UDP traffic.
Something to keep in mind is that since ASA version 9.x, the keyword “any” means IPv4 + IPv6 traffic. If you want to match IPv4 traffic you should use “any4” and for IPv6 you need to use “any6”.
We will take a look to see how this works on a real ASA firewall. I’ll use the following topology to demonstrate this:
We will use R1 and R2 as hosts so that we can generate some traffic. The ASA has the following basic configuration:
ASA1(config)# interface e0/0
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0
ASA1(config)# interface e0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0
ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic interface
We use two interfaces and PAT for traffic from the inside headed towards the outside. To see how the ASA firewall deals with our PAT translations we can enable a debug:
ASA1# debug nat 255
debug nat enabled at level 255
Now I’ll telnet from R1 to R2 to generate some traffic:
Trying 192.168.2.2 ... Open
User Access Verification
You will see the following debug message on the ASA:
ASA1# nat: locking pool range 192.168.2.254-192.168.2.254, refcnt 0
nat: policy lock 0x0xad8826e8, old count is 1
nat: translation - INSIDE:192.168.1.1/48016 to OUTSIDE:192.168.2.254/48016 (xp:0xab2b3980, policy:0xad8826e8)
It translated our traffic between R1 and R2, we can also verify this with the show xlate command:
ASA1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from INSIDE:192.168.1.1/48016 to OUTSIDE:192.168.2.254/48016 flags ri idle 0:00:50 timeout 0:00:30
Now let’s kill the telnet session:
[Connection to 192.168.2.2 closed by foreign host]
As soon as I close the telnet session you will see this debug message on the ASA:
ASA1# nat: policy unlock 0x0xad8826e8, old count is 2
nat: unlocking pool range 192.168.2.254-192.168.2.254, refcnt 1
It removes the translation entry right away, we can also confirm this with the show xlate command:
ASA1# show xlate
0 in use, 1 most used
So that’s how Per-Session PAT works…the translation was removed immediately as soon as I closed the TCP session. Now let’s try Multi-Session PAT shall we?
We’ll keep it simple so I will remove the entry that enables Per-Session PAT for all TCP traffic and then enable Multi-Session PAT:
Copyright protected by Digiprove © 2014-2016 Rene Molenaar