9-45
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Network Address Translation (NAT)
History for NAT
Per-session PAT 9.0(1) The per-session PAT feature improves the scalability of PAT
and, for clustering, allows each member unit to own PAT
connections; multi-session PAT connections have to be
forwarded to and owned by the master unit. At the end of a
per-session PAT session, the ASA sends a reset and
immediately removes the xlate. This reset causes the end
node to immediately release the connection, avoiding the
TIME_WAIT state. Multi-session PAT, on the other hand,
uses the PAT timeout, by default 30 seconds. For
“hit-and-run” traffic, such as HTTP or HTTPS, the
per-session feature can dramatically increase the
connection rate supported by one address. Without the
per-session feature, the maximum connection rate for one
address for an IP protocol is approximately 2000 per
second. With the per-session feature, the connection rate for
one address for an IP protocol is 65535/average-lifetime.
By default, all TCP traffic and UDP DNS traffic use a
per-session PAT xlate. For traffic that requires multi-session
PAT, such as H.323, SIP, or Skinny, you can disable
per-session PAT by creating a per-session deny rule.
We introduced the following commands: xlate per-session,
show nat pool.
Transactional Commit Model on NAT Rule
Engine
9.3(1) When enabled, a NAT rule update is applied after the rule
compilation is completed; without affecting the rule
matching performance.
We added the nat keyword to the following commands: asp
rule-engine transactional-commit, show running-config
asp rule-engine transactional-commit, clear configure
asp rule-engine transactional-commit.
to
Feature Name
Platform
Releases Description
To Next Page
Loading...
