FWSM - No Nat Control

Answered Question
Apr 24th, 2008

When using no nat control on a FWSM, I would assume that the xlate table (sh xlate) should be empty.

Is this correct as I am seeing some one to one entries in the xlate. I am not seeing every single host, only approx 200 out of 5000 potential hosts.

Can someone confirm this ?

Thanks,

Jon

I have this problem too.
0 votes
Correct Answer by Syed Iftekhar Ahmed about 8 years 8 months ago

By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. To avoid running into the maximum NAT session limit, you can disable NAT sessions for untranslated traffic (called xlate bypass).

To enable xlate bypass, enter the following command:

hostname(config)# xlate-bypass

Syed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
htarra Wed, 04/30/2008 - 09:18

No , using no nat control onlt disables strict nat to be applied on the traffic traversing through the firewall. If a nat policy is there it will still be applied and there will be entries in sh xlate.

jon.humphries Thu, 05/15/2008 - 23:48

I am not using any nat in the config. All references have been removed. In my opinion I shouldn't be seeing xlates if there is no nat policies configured.

Correct Answer
Syed Iftekhar Ahmed Fri, 05/16/2008 - 22:43

By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. To avoid running into the maximum NAT session limit, you can disable NAT sessions for untranslated traffic (called xlate bypass).

To enable xlate bypass, enter the following command:

hostname(config)# xlate-bypass

Syed

jon.humphries Mon, 05/19/2008 - 00:44

Thanks Syed,

I found out this command the last time I was on site, but your explanation confirms my actions.

Thanks,

Jon

Actions

This Discussion