Cisco ASA Series Cli Configuration Manual page 755

Chapter 1 Information About NAT
Figure 1-7
responding traffic is allowed back. The mapped address is the same for each translation, but the port is
dynamically assigned.
Figure 1-7
10.1.1.1:1025
10.1.1.1:1026
10.1.1.2:1025
After the connection expires, the port translation also expires. For multi-session PAT, the PAT timeout is
used, 30 seconds by default. For per-session PAT, the xlate is immediately removed. Users on the
destination network cannot reliably initiate a connection to a host that uses PAT (even if the connection
is allowed by an access rule).
Note
For the duration of the translation, a remote host can initiate a connection to the translated host if an
access rule allows it. Because the port address (both real and mapped) is unpredictable, a connection to
the host is unlikely. Nevertheless, in this case you can rely on the security of the access rule.
Per-Session PAT vs. Multi-Session PAT
The per-session PAT feature improves the scalability of PAT and, for clustering, allows each member unit
to own PAT connections; multi-session PAT connections have to be forwarded to and owned by the
master unit. At the end of a per-session PAT session, the ASA sends a reset and immediately removes
the xlate. This reset causes the end node to immediately release the connection, avoiding the
TIME_WAIT state. Multi-session PAT, on the other hand, uses the PAT timeout, by default 30 seconds.
For "hit-and-run" traffic, such as HTTP or HTTPS, the per-session feature can dramatically increase the
connection rate supported by one address. Without the per-session feature, the maximum connection rate
for one address for an IP protocol is approximately 2000 per second. With the per-session feature, the
connection rate for one address for an IP protocol is 65535/average-lifetime.
By default, all TCP traffic and UDP DNS traffic use a per-session PAT xlate. For traffic that can benefit
from multi-session PAT, such as H.323, SIP, or Skinny, you can disable per-session PAT be creating a
per-session deny rule. See the
Dynamic PAT Disadvantages and Advantages
Dynamic PAT lets you use a single mapped address, thus conserving routable addresses. You can even
use the ASA interface IP address as the PAT address.
Dynamic PAT does not work with some multimedia applications that have a data stream that is different
from the control path. See the
and PAT support.
Dynamic PAT may also create a large number of connections appearing to come from a single IP address,
and servers might interpret the traffic as a DoS attack. You can configure a PAT pool of addresses and
use a round-robin assignment of PAT addresses to mitigate this situation.
shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and
Dynamic PAT
Security
Appliance
209.165.201.1:2020
209.165.201.1:2021
209.165.201.1:2022
Inside Outside
"Configuring Per-Session PAT Rules" section on page
"Default Settings" section on page 1-4 for more information about NAT
Cisco ASA Series CLI Configuration Guide
NAT Types
33-16.
1-9