4.Cisco ASA Per-Session vs Multi-Session PAT



Since ASA version 9.x there are some changes to PAT (Port Address Translation). We now have two types of PAT:

  • Per-Session PAT
  • Multi-Session PAT

When a PAT session ends we have two options:

  • Per-Session PAT removes the translation entry immediately.
  • Multi-Session PAT will wait for 30 seconds (default timeout) before removing the translation entry.

Cisco recommends to use Per-Session PAT for hit-and-run traffic like HTTP or HTTPS so you can avoid having a lot of translations entries that are waiting for the 30 second timeout to expire. You shouldn’t use it for realtime traffic like VoIP.

The reason to use Per-Session PAT is scalability…without it, the connection rate is about 2000 per second. If you enable it, the connection rate is about 65535 / average lifetime.

The ASA firewall will use per-session PAT by default. You can find the following rules in the configuration:

ASA1# show run | include xlate per-session
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain

As you can see, Per-Session PAT is enabled for all TCP and UDP traffic.

Something to keep in mind is that since ASA version 9.x, the keyword “any” means IPv4 + IPv6 traffic. If you want to match IPv4 traffic you should use “any4” and for IPv6 you need to use “any6”.

We will take a look to see how this works on a real ASA firewall. I’ll use the following topology to demonstrate this:

ASA1 Inside Outside

We will use R1 and R2 as hosts so that we can generate some traffic. The ASA has the following basic configuration:

ASA1(config)# interface e0/0
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0

ASA1(config)# interface e0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0

ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic interface

We use two interfaces and PAT for traffic from the inside headed towards the outside. To see how the ASA firewall deals with our PAT translations we can enable a debug:

ASA1# debug nat 255
debug nat  enabled at level 255

Now I’ll telnet from R1 to R2 to generate some traffic:

R1#telnet 192.168.2.2
Trying 192.168.2.2 ... Open

User Access Verification

Password:
R2>

You will see the following debug message on the ASA:

ASA1# nat: locking pool range 192.168.2.254-192.168.2.254, refcnt 0
nat: policy lock 0x0xad8826e8, old count is 1
nat: translation - INSIDE:192.168.1.1/48016 to OUTSIDE:192.168.2.254/48016 (xp:0xab2b3980, policy:0xad8826e8)

It translated our traffic between R1 and R2, we can also verify this with the show xlate command:

ASA1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from INSIDE:192.168.1.1/48016 to OUTSIDE:192.168.2.254/48016 flags ri idle 0:00:50 timeout 0:00:30

Now let’s kill the telnet session:

R2>exit

[Connection to 192.168.2.2 closed by foreign host]

As soon as I close the telnet session you will see this debug message on the ASA:

ASA1# nat: policy unlock 0x0xad8826e8, old count is 2
nat: unlocking pool range 192.168.2.254-192.168.2.254, refcnt 1

It removes the translation entry right away, we can also confirm this with the show xlate command:

ASA1# show xlate
0 in use, 1 most used

So that’s how Per-Session PAT works…the translation was removed immediately as soon as I closed the TCP session. Now let’s try Multi-Session PAT shall we?

1.Multi-Session PAT

We’ll keep it simple so I will remove the entry that enables Per-Session PAT for all TCP traffic and then enable Multi-Session PAT:

ASA1(config)# no xlate per-session permit tcp any4 any4
ASA1(config)# xlate per-session deny tcp any4 any4

Now let’s telnet from R1 to R2:

R1#telnet 192.168.2.2
Trying 192.168.2.2 ... Open

User Access Verification

Password:
R2>

You will see the translation entry that is created if you left the debug enabled:

ASA1#
nat: translation - INSIDE:192.168.1.1/19674 to OUTSIDE:192.168.2.254/19674 (xp:0xab2b3980, policy:0xad8826e8)

And we can see it here:

ASA1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from INSIDE:192.168.1.1/19674 to OUTSIDE:192.168.2.254/19674 flags ri idle 0:00:56 timeout 0:00:30

Now we will kill the telnet session:

R2>exit

[Connection to 192.168.2.2 closed by foreign host]

Now it will take 30 seconds before the translation entry will be removed, it’s still in the NAT table here:

ASA1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from INSIDE:192.168.1.1/44115 to OUTSIDE:192.168.2.254/44115 flags ri idle 0:00:03 timeout 0:00:30

Once 30 seconds have expired you will see this debug message:

ASA1# nat: policy unlock 0x0xad8826e8, old count is 2
nat: unlocking pool range 192.168.2.254-192.168.2.254, refcnt 1

And that’s it…you have now seen the difference between Per-Session PAT and Multi-Session PAT. I hope this lesson has been useful to understand this, if you have any questions feel free to leave a comment.


Comments

Post a Comment

Popular posts from this blog

Cisco ASA Packet Drop Troubleshooting

Image
As a firewall, the Cisco ASA drops packets. That’s great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops. In this lesson, we’ll cover the following tools: Connection State Interface Drops Syslog ASP Drops Packet Capture Packet Tracer Service Policy Conclusion Here is the topology I use: We use a simple topology: Two “host” devices: These are routers with ip routing disabled, and they use ASA1 as their default gateway. An HTTP server is enabled on both devices. ASA1 runs ASAv Version 9.9(2) and has two interfaces: INSIDE: security level 100 OUTSIDE: security level 0 In this topology, H1 will be able to initiate a connection to H2. H2 won’t be able to initiate a connection to H1 because we go from a  low-security level (0) to a high-security level (100) . Configurations ASA1 H1 H2 hostname ASA1 ! interface GigabitEthernet0/0 nameif INSIDE security-level 100...
Read more

show asp drop Command Usage

The  show asp drop  command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the general operations configuration guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The following sections include each drop reason name and description, including recommendations: rame Drop Reasons   ---------------------------------------------------------------- Name: natt-keepalive NAT-T keepalive message: This counter will increment when the appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance.   Recommendation: If you have configured IPSec NAT-T on your ...
Read more

1.Cisco ASA Clock Configuration

The Cisco ASA firewall has a battery on the motherboard that saves the clock settings. Even when it’s is powered off, the clock will be stored. There are two important reasons why you want to make sure that your ASA has the correct date/time: In case of a security breach you want to track log files for events. With an incorrect timestamp, your log files are useless. PKI (Public Key Infrastructure) that we use for digital certificates to authenticate remote users (IPSEC or SSL VPN) requires the correct date/time. The most simple method is to configure the date/time manually, you can do it like this: ASA1(config)# clock set 13:15:00 Dec 19 2014 Just use the  clock set  command and enter the correct time/date. You can verify it like this: ASA1# show clock 13:15:15.709 UTC Fri Dec 19 2014 As you can see, the default timezone is UTC. If you are in another timezone like me then you have to change this: ASA1(config)# clock timezone CET +1 Use the  clock timezone  command t...
Read more