Regarding Clear Xlate command

Unanswered Question
Jan 1st, 2009
User Badges:

dear Team,


We are using Clear Xlate command whenever we are adding new Translation rules so that the new rules will get added to Traslation table.

Will it mean that the new translation rules will not get added OR get added after some specific configured time..If yes then will it mean that translation will not happen(and the corresponding connections will not work) untill it is not updated in translation table.


And when we do Clear Xlate whether all the connections using Translation table will drop.if yes then it means we should not do Clear Xlate.


I am saying above on the understanding that the Translation in the Firewall will happen after the firewall checks the translation table and if the perticular translation entry is not there in the Translation table then that connection will not happen.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Fri, 01/02/2009 - 06:05
User Badges:
  • Red, 2250 points or more

Hello Sukh


You are right.. without an entry in the translation table, the connections wont happen.. actually there are 2 main tables in ASA, one is the xlate table and the other conn table.. a single host or server should have one entry in the xlate table, and can have one-to-many entries in the conn table, since there can be more than one session originating from the users pc.


now,coming back to ur question.. i dont really see the need to do a "clear xlate" when adding nat entries.. NAT rules are populated in the xlate table, when traffic starts flowing from that particular source, for which a source NAT is done. If there is no traffic originating from the source, it wont go onto the xlate table. try doing a ping, telnet etc from the pc, and it should automatically populate the entry on the xlate table..


and.. clearing xlate entries can be done, globally, locally or to a particular IP address.. template:


clear xlate [global ip1[-ip2] [netmask mask]] [local ip1[-ip2] [netmask mask]]

[gport port1[-port2]] [lport port1[-port2]] [interface if_name] [state state]



you can do a "clear xlate local 192.168.10.1" just to clear that particular Xlate entry..


Hope this helps..


Raj

palsukh2002 Sun, 01/04/2009 - 18:55
User Badges:

Thanks Sachin-I got it


1. Do u mean I can do telnet 5.5.5.5 3389 to see whether the Xlate table is showing the entry if we are accessing 5.5.5.5 at port 3389 OR otherwise the Xlate table will add the entry when actually the source will communicate with 5.5.5.5 at 3389 --Right?


2. Doing Clear Xlate will definitely disconnect all the connections currently using the Xlate table---Right?


3. And after doing Clear Xlate globally..normally how long it will take for the Xlate table to get populated again..Will it all depends on the connections made by all the hosts(including the ones which got disconnected due to clear Xlate) OR there is some fixed time after which the Xlate table will get populated (with old entries)

godinerik Sun, 01/04/2009 - 19:08
User Badges:

Hi,



This might be obvious, but one thing to keep in mind, if you do "clear xlate", any servers/host using a static translation won't get disconnected, however dynamic sessions will.

sachinraja Mon, 01/05/2009 - 07:52
User Badges:
  • Red, 2250 points or more

1. Do u mean I can do telnet 5.5.5.5 3389 to see whether the Xlate table is showing the entry if we are accessing 5.5.5.5 at port 3389 OR otherwise the Xlate table will add the entry when actually the source will communicate with 5.5.5.5 at 3389 --


Actually the xlate table will just have the NAT translation.. 1.1.1.1 to 5.5.5.5 say.. port details will be found only on the connection table..


2. Doing Clear Xlate will definitely disconnect all the connections currently using the Xlate table---


only the dynamic nat connections.. static connections will exist..


3. And after doing Clear Xlate globally..normally how long it will take for the Xlate table to get populated again..Will it all depends on the connections made by all the hosts(including the ones which got disconnected due to clear Xlate) OR there is some fixed time after which the Xlate table will get populated (with old entries)


-- its almost instantaneous.. no one would really feel that the xlate table has been cleared.. static entries will still exist, of the servers.. i dont see a major time for this table to be built up.. anyway, u can do selective "clear xlate" as told above..


Hope this helps.. all the best..


Raj




Actions

This Discussion