Configure Per-Session Pat Or Multi-Session Pat - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 9
Network Address Translation (NAT)
Dynamic PAT
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW interface
destination static TELNET_SVR TELNET_SVR service TELNET TELNET
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW pat-pool PAT_POOL
destination static SERVERS SERVERS
The following example configures interface PAT for inside network 192.168.1.0/24 when accessing
outside IPv6 Telnet server 2001:DB8::23, and Dynamic PAT using a PAT pool when accessing any server
on the 2001:DB8:AAAA::/96 network.
hostname(config)# object network INSIDE_NW
hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0
hostname(config)# object network PAT_POOL
hostname(config-network-object)# range 2001:DB8:AAAA::1 2001:DB8:AAAA::200
hostname(config)# object network TELNET_SVR
hostname(config-network-object)# host 2001:DB8::23
hostname(config)# object service TELNET
hostname(config-service-object)# service tcp destination eq 23
hostname(config)# object network SERVERS
hostname(config-network-object)# subnet 2001:DB8:AAAA::/96
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW interface ipv6
destination static TELNET_SVR TELNET_SVR service TELNET TELNET
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW pat-pool PAT_POOL
destination static SERVERS SERVERS
Configure Per-Session PAT or Multi-Session PAT
By default, all TCP PAT traffic and all UDP DNS traffic uses per-session PAT. To use multi-session PAT
for traffic, you can configure per-session PAT rules: a permit rule uses per-session PAT, and a deny rule
uses multi-session PAT.
Per-session PAT improves the scalability of PAT and, for clustering, allows each member unit to own
PAT connections; multi-session PAT connections have to be forwarded to and owned by the master unit.
At the end of a per-session PAT session, the ASA sends a reset and immediately removes the xlate. This
reset causes the end node to immediately release the connection, avoiding the TIME_WAIT state.
Multi-session PAT, on the other hand, uses the PAT timeout, by default 30 seconds.
For "hit-and-run" traffic, such as HTTP or HTTPS, per-session PAT can dramatically increase the
connection rate supported by one address. Without per-session PAT, the maximum connection rate for
one address for an IP protocol is approximately 2000 per second. With per-session PAT, the connection
rate for one address for an IP protocol is 65535/average-lifetime.
For traffic that can benefit from multi-session PAT, such as H.323, SIP, or Skinny, you can disable
per-session PAT by creating a per-session deny rule. These rules are available starting with version
9.0(1).
Before You Begin
By default, the following rules are installed:
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
Cisco ASA Series Firewall CLI Configuration Guide
9-25
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
