Sie sind auf Seite 1von 9

6/13/2017 Cisco ASA Per­Session vs Multi­Session PAT | NetworkLessons.

com

Search...

Table of Contents
ASA Firewall

Introduction to Firewalls

Unit 1: Basics of the ASA Firewall 

Unit 2: NAT / PAT 

Cisco ASA Dynamic NAT Con›guration

Cisco ASA Dynamic NAT with DMZ

Cisco ASA PAT Con›guration

Cisco ASA Per-Session vs Multi-Session PAT

Cisco ASA Static NAT

Cisco ASA NAT Port Forwarding

Cisco ASA Hairpin Internal Server

Unit 3: Access-Lists 

Unit 4: VLANs and Trunking 

Unit 5: IPSEC VPN 

Unit 6: SSL VPN 

Unit 7: Network Management 

You are here: Home » Cisco » ASA Firewall


Cisco ASA Per-Session vs Multi-Session
https://networklessons.com/cisco/asa­firewall/cisco­asa­per­session­vs­multi­session­pat/ 1/9
6/13/2017 Cisco ASA Per­Session vs Multi­Session PAT | NetworkLessons.com

Cisco ASA Per-Session vs Multi-Session


PAT

Since ASA version 9.x there are some changes to PAT (Port Address Translation). We now have two
types of PAT:

Per-Session PAT
Multi-Session PAT

When a PAT session ends we have two options:

Per-Session PAT removes the translation entry immediately.


Multi-Session PAT will wait for 30 seconds (default timeout) before removing the translation
entry.

Cisco recommends to use Per-Session PAT for hit-and-run tra€c like HTTP or HTTPS so you can
avoid having a lot of translations entries that are waiting for the 30 second timeout to expire. You
shouldn’t use it for realtime tra€c like VoIP.

The reason to use Per-Session PAT is scalability…without it, the connection rate is about 2000 per
second. If you enable it, the connection rate is about 65535 / average lifetime.

The ASA ›rewall will use per-session PAT by default. You can ›nd the following rules in the
con›guration:

ASA1# show run | include xlate per‐session 
xlate per‐session permit tcp any4 any4 
xlate per‐session permit tcp any4 any6 
xlate per‐session permit tcp any6 any4 
xlate per‐session permit tcp any6 any6 
xlate per‐session permit udp any4 any4 eq domain 
xlate per‐session permit udp any4 any6 eq domain 
xlate per‐session permit udp any6 any4 eq domain 
xlate per‐session permit udp any6 any6 eq domain

https://networklessons.com/cisco/asa­firewall/cisco­asa­per­session­vs­multi­session­pat/ 2/9
6/13/2017 Cisco ASA Per­Session vs Multi­Session PAT | NetworkLessons.com

As you can see, Per-Session PAT is enabled for all TCP and UDP tra€c.

Something to keep in mind is that since ASA version 9.x, the keyword “any” means IPv4 +
IPv6 tra€c. If you want to match IPv4 tra€c you should use “any4” and for IPv6 you need
to use “any6”.

We will take a look to see how this works on a real ASA ›rewall. I’ll use the following topology to
demonstrate this:

We will use R1 and R2 as hosts so that we can generate some tra€c. The ASA has the following
basic con›guration:

ASA1(config)# interface e0/0 
ASA1(config‐if)# nameif INSIDE 
ASA1(config‐if)# ip address 192.168.1.254 255.255.255.0 
 
ASA1(config)# interface e0/1 
ASA1(config‐if)# nameif OUTSIDE 
ASA1(config‐if)# ip address 192.168.2.254 255.255.255.0 
 
ASA1(config)# object network INSIDE 
ASA1(config‐network‐object)# subnet 192.168.1.0 255.255.255.0 
ASA1(config‐network‐object)# nat (INSIDE,OUTSIDE) dynamic interface

We use two interfaces and PAT for tra€c from the inside headed towards the outside. To see how
the ASA ›rewall deals with our PAT translations we can enable a debug:

ASA1# debug nat 255 
debug nat  enabled at level 255

Now I’ll telnet from R1 to R2 to generate some tra€c: 


https://networklessons.com/cisco/asa­firewall/cisco­asa­per­session­vs­multi­session­pat/ 3/9
6/13/2017 Cisco ASA Per­Session vs Multi­Session PAT | NetworkLessons.com

R1#telnet 192.168.2.2 
Trying 192.168.2.2 ... Open 
 
User Access Verification 
 
Password: 
R2>

You will see the following debug message on the ASA:

ASA1# nat: locking pool range 192.168.2.254‐192.168.2.254, refcnt 0 
nat: policy lock 0x0xad8826e8, old count is 1 
nat: translation ‐ INSIDE:192.168.1.1/48016 to OUTSIDE:192.168.2.254/48016 
(xp:0xab2b3980, policy:0xad8826e8)

It translated our tra€c between R1 and R2, we can also verify this with the show xlate command:

ASA1# show xlate 
1 in use, 1 most used 
Flags: D ‐ DNS, e ‐ extended, I ‐ identity, i ‐ dynamic, r ‐ portmap, 
       s ‐ static, T ‐ twice, N ‐ net‐to‐net 
TCP PAT from INSIDE:192.168.1.1/48016 to OUTSIDE:192.168.2.254/48016 flags ri 
idle 0:00:50 timeout 0:00:30

Now let’s kill the telnet session:

R2>exit 
 
[Connection to 192.168.2.2 closed by foreign host]

As soon as I close the telnet session you will see this debug message on the ASA:

ASA1# nat: policy unlock 0x0xad8826e8, old count is 2 
nat: unlocking pool range 192.168.2.254‐192.168.2.254, refcnt 1 
https://networklessons.com/cisco/asa­firewall/cisco­asa­per­session­vs­multi­session­pat/ 4/9
6/13/2017 Cisco ASA Per­Session vs Multi­Session PAT | NetworkLessons.com

It removes the translation entry right away, we can also con›rm this with the show xlate
command:

ASA1# show xlate 
0 in use, 1 most used

So that’s how Per-Session PAT works…the translation was removed immediately as soon as I
closed the TCP session. Now let’s try Multi-Session PAT shall we?

Multi-Session PAT
We’ll keep it simple so I will remove the entry that enables Per-Session PAT for all TCP tra€c and
then enable Multi-Session PAT:

ASA1(config)# no xlate per‐session permit tcp any4 any4 
ASA1(config)# xlate per‐session deny tcp any4 any4 

Now let’s telnet from R1 to R2:

R1#telnet 192.168.2.2 
Trying 192.168.2.2 ... Open 
 
User Access Verification 
 
Password: 
R2>

You will see the translation entry that is created if you left the debug enabled:

ASA1# 
nat: translation ‐ INSIDE:192.168.1.1/19674 to OUTSIDE:192.168.2.254/19674 
(xp:0xab2b3980, policy:0xad8826e8)

And we can see it here: 


https://networklessons.com/cisco/asa­firewall/cisco­asa­per­session­vs­multi­session­pat/ 5/9
6/13/2017 Cisco ASA Per­Session vs Multi­Session PAT | NetworkLessons.com

ASA1# show xlate 
1 in use, 1 most used 
Flags: D ‐ DNS, e ‐ extended, I ‐ identity, i ‐ dynamic, r ‐ portmap, 
       s ‐ static, T ‐ twice, N ‐ net‐to‐net 
TCP PAT from INSIDE:192.168.1.1/19674 to OUTSIDE:192.168.2.254/19674 flags ri 
idle 0:00:56 timeout 0:00:30

Now we will kill the telnet session:

R2>exit 
 
[Connection to 192.168.2.2 closed by foreign host]

Now it will take 30 seconds before the translation entry will be removed, it’s still in the NAT table
here:

ASA1# show xlate 
1 in use, 1 most used 
Flags: D ‐ DNS, e ‐ extended, I ‐ identity, i ‐ dynamic, r ‐ portmap, 
       s ‐ static, T ‐ twice, N ‐ net‐to‐net 
TCP PAT from INSIDE:192.168.1.1/44115 to OUTSIDE:192.168.2.254/44115 flags ri 
idle 0:00:03 timeout 0:00:30

Once 30 seconds have expired you will see this debug message:

ASA1# nat: policy unlock 0x0xad8826e8, old count is 2 
nat: unlocking pool range 192.168.2.254‐192.168.2.254, refcnt 1

And that’s it…you have now seen the di៛�erence between Per-Session PAT and Multi-Session PAT. I
hope this lesson has been useful to understand this, if you have any questions feel free to leave a
comment.


«
https://networklessons.com/cisco/asa­firewall/cisco­asa­per­session­vs­multi­session­pat/
» 6/9
6/13/2017 Cisco ASA Per­Session vs Multi­Session PAT | NetworkLessons.com

« Previous Lesson
Cisco ASA PAT Con›guration
Next Lesson
Cisco ASA Static NAT »
 Tags: NAT, PAT, Security

Notable Replies

johxxn
August 15, 2015

what do you mean by "the connection rate" ? the connection rate is about 2000 per second

ReneMolenaar
August 18, 2015

Hi John,

With multi-session PAT you can have about 2000 connections using one IP address for PAT, this is because of
the 30 second timeout. With per session PAT we don't have this timeout so we can have a lot more
connections using the same public IP address.

Rene

victor4babs
March 3, 2016

Is there any reason why you would use multi-session PAT rather than Per-Session PAT, or vice versa?

victor4babs
March 3, 2016

Never mind, I found it in your article.

Continue the discussion forum.networklessons.com 


Participants
https://networklessons.com/cisco/asa­firewall/cisco­asa­per­session­vs­multi­session­pat/ 7/9
6/13/2017 Cisco ASA Per­Session vs Multi­Session PAT | NetworkLessons.com

Participants

About NetworkLessons.com
Hello There! I'm René Molenaar (CCIE #41726), Your main Instructor of
NetworkLessons.com. I'd like to teach you everything about Cisco, Wireless and
Security. I am here to Help You Master Networking!

Read my story

Social Fans

  
14,358 9,602 1,589
FANS FOLLOWERS SUBSCRIBERS

New Lessons
IS-IS Authentication
IS-IS Route Leaking
IS-IS Filtering
IS-IS Summarization
IS-IS Redistribution

Tag Cloud
802.1Q 802.1X ACL ARP Authentication Certi›cate Default Route DHCP DMVPN Etherchannel
Filtering Firewall GRE IGMP IKE IOS IP Routing IPSec LDP Linux Load Balancing
LSA NAT Network Management Network Services Network Type OER OSPFv3 PAT PFR

PIM PPP Redistribution RIP Security Shaping SNMP SSH Stub Summarization
Trunk VLAN VPN VRF Wireless

Disclaimer 
https://networklessons.com/cisco/asa­firewall/cisco­asa­per­session­vs­multi­session­pat/ 8/9
6/13/2017 Cisco ASA Per­Session vs Multi­Session PAT | NetworkLessons.com

Privacy Policy
Support

© 2013 - 2017 NetworkLessons.com 10811


https://networklessons.com/cisco/asa­firewall/cisco­asa­per­session­vs­multi­session­pat/ 9/9