FWSM - No Nat Control

Answered Question
Apr 24th, 2008
User Badges:

When using no nat control on a FWSM, I would assume that the xlate table (sh xlate) should be empty.


Is this correct as I am seeing some one to one entries in the xlate. I am not seeing every single host, only approx 200 out of 5000 potential hosts.


Can someone confirm this ?


Thanks,


Jon

Correct Answer by Syed Iftekhar Ahmed about 9 years 1 week ago

By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. To avoid running into the maximum NAT session limit, you can disable NAT sessions for untranslated traffic (called xlate bypass).

To enable xlate bypass, enter the following command:


hostname(config)# xlate-bypass



Syed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
htarra Wed, 04/30/2008 - 09:18
User Badges:
  • Bronze, 100 points or more

No , using no nat control onlt disables strict nat to be applied on the traffic traversing through the firewall. If a nat policy is there it will still be applied and there will be entries in sh xlate.

jon.humphries Thu, 05/15/2008 - 23:48
User Badges:

I am not using any nat in the config. All references have been removed. In my opinion I shouldn't be seeing xlates if there is no nat policies configured.

Correct Answer
Syed Iftekhar Ahmed Fri, 05/16/2008 - 22:43
User Badges:
  • Blue, 1500 points or more

By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. To avoid running into the maximum NAT session limit, you can disable NAT sessions for untranslated traffic (called xlate bypass).

To enable xlate bypass, enter the following command:


hostname(config)# xlate-bypass



Syed

jon.humphries Mon, 05/19/2008 - 00:44
User Badges:

Thanks Syed,


I found out this command the last time I was on site, but your explanation confirms my actions.


Thanks,


Jon

Actions

This Discussion