Cisco ASA Per-Session vs Multi-Session PAT

Since ASA version 9.x there are some changes to PAT (Port Address Translation). We now have two types of PAT:

  • Per-Session PAT
  • Multi-Session PAT

When a PAT session ends we have two options:

  • Per-Session PAT removes the translation entry immediately.
  • Multi-Session PAT will wait for 30 seconds (default timeout) before removing the translation entry.

Cisco recommends to use Per-Session PAT for hit-and-run traffic like HTTP or HTTPS so you can avoid having a lot of translations entries that are waiting for the 30 second timeout to expire. You shouldn’t use it for realtime traffic like VoIP.

The reason to use Per-Session PAT is scalability…without it, the connection rate is about 2000 per second. If you enable it, the connection rate is about 65535 / average lifetime.

The ASA firewall will use per-session PAT by default. You can find the following rules in the configuration:

ASA1# show run | include xlate per-session
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain

As you can see, Per-Session PAT is enabled for all TCP and UDP traffic.

Something to keep in mind is that since ASA version 9.x, the keyword “any” means IPv4 + IPv6 traffic. If you want to match IPv4 traffic you should use “any4” and for IPv6 you need to use “any6”.

We will take a look to see how this works on a real ASA firewall. I’ll use the following topology to demonstrate this:

ASA1 Inside Outside

We will use R1 and R2 as hosts so that we can generate some traffic. The ASA has the following basic configuration:

ASA1(config)# interface e0/0
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0

ASA1(config)# interface e0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0

ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic interface

We use two interfaces and PAT for traffic from the inside headed towards the outside. To see how the ASA firewall deals with our PAT translations we can enable a debug:

ASA1# debug nat 255
debug nat  enabled at level 255

Now I’ll telnet from R1 to R2 to generate some traffic:

R1#telnet 192.168.2.2
Trying 192.168.2.2 ... Open

User Access Verification

Password:
R2>

You will see the following debug message on the ASA:

ASA1# nat: locking pool range 192.168.2.254-192.168.2.254, refcnt 0
nat: policy lock 0x0xad8826e8, old count is 1
nat: translation - INSIDE:192.168.1.1/48016 to OUTSIDE:192.168.2.254/48016 (xp:0xab2b3980, policy:0xad8826e8)

It translated our traffic between R1 and R2, we can also verify this with the show xlate command:

ASA1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from INSIDE:192.168.1.1/48016 to OUTSIDE:192.168.2.254/48016 flags ri idle 0:00:50 timeout 0:00:30

Now let’s kill the telnet session:

R2>exit

[Connection to 192.168.2.2 closed by foreign host]

As soon as I close the telnet session you will see this debug message on the ASA:

ASA1# nat: policy unlock 0x0xad8826e8, old count is 2
nat: unlocking pool range 192.168.2.254-192.168.2.254, refcnt 1

It removes the translation entry right away, we can also confirm this with the show xlate command:

ASA1# show xlate
0 in use, 1 most used

So that’s how Per-Session PAT works…the translation was removed immediately as soon as I closed the TCP session. Now let’s try Multi-Session PAT shall we?

Multi-Session PAT

We’ll keep it simple so I will remove the entry that enables Per-Session PAT for all TCP traffic and then enable Multi-Session PAT:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 651 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

567 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Hi
    I am running ASAv version 9.6.
    when I run the command “show run | in xlate per-session”, the output is showing all deny rules. But in your output it is showing all permit. Any idea why I am seeing all deny

    ASAv# show run | include xlate per-session
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain

  2. Hmm I think it depends on your platform and/or ASA version. Here’s a 5506 running ASA 9.5 with a fresh config:

    ASA# show running-config all | include xlate
    xlate per-session permit tcp any4 any4
    xlate per-session permit tcp any4 any6
    xlate per-session permit tcp any6 any4
    xlate per-session permit tcp any6 any6
    xlate per-session permit udp any4 any4 eq domain
    xlate per-session permit udp any4 any6 eq domain
    xlate per-session permit udp any6 any4 eq domain
    xlate per-session permit udp any6 any6 eq domain
    

    Per-session is enabled by default. With your deny statemen

    ... Continue reading in our forum

  3. I think it would be helpful to hear some of the other use cases for Multi-Session PAT. Surely there are other reasons other than Voip?

    Also, what is the danger to voip traffic? I know that I have several fully functioning Voip deployments in the wild that ended up behind ASAs that I don’t manage myself, and I know they don’t use multi-session PAT. Voip traffic seems to pass just fine as I’ve had no complaints.

  4. Hello Chris

    Multi-session PAT is the default configuration within an ASA device. Any PAT translations that exist are kept open for 30 seconds before being flushed out. The reason for this is that it takes CPU power and resources to tear down and to reinitialize a PAT translation, so if a session that has ended restarts sending using the same translation and ports within those 30 seconds, there is no need to re-establish the connection, the translation already exists.

    Per-session PAT is an improvement to this default because it quickly frees up translated port

    ... Continue reading in our forum

5 more replies! Ask a question or join the discussion by visiting our Community Forum