clearing dynamic vs static translations

Unanswered Question
Jun 24th, 2010

I've always been told that anytime a NAT or Static statement is added, removed, or changed, that we should follow up our config by the "clear xlate" command. I've seen Cisco docs that say to do this, and I've also seen Cisco docs saying that "clear xlate" is only for clearing dynamic translation, and that you should use the "clear local-host" command if you remove a static from the config. Cisco doc also says "Always clear xlates after you add, change, or remove the aaa-server, access-list, alias, global, nat, route, or static commands in your configuration", however, that seems to contrast when they say that clear xlate is only for dynamic translations. So I'm looking for opinions/knowledge on exactly what is needed and when.

First, if I remove a static translation from the config, what should I be doing to make sure its disappeared from the xlate table? Should I use the same command if I add or change a static, are there different requirements if I'm adding vs changing existing? If I'm adding a brand new static statement, I don't get what doing a "clear xlate" is buying me.

Second, when issuing the "clear xlate" on a global basis, does this drop all connections that are currently built, assuming they are  all going through some type of NAT or PAT? For instance, if I have an FTP transfer going, and do a clear xlate, does that kill my session?

Third, why does Cisco also say when adding, changing or removing "aaa-server", "access-list" are also 2 other commands that would require a clear xlate? If I add an ACL or aaa-server for that matter, what is constituting their recommendation for me to do a clear xlate?

appreciate any input. I think the clear xlate has always been a misunderstood command to a point, and often overused, but I've seen so much conflicting info about it, I thought it might be a good discussion to bring on this forum.

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
David White Thu, 06/24/2010 - 20:56

Great topic and post!

Yes, clear xlate is overused by many. To understand when to use clear xlate, you must first understand what it does.

When a packet flow passes through the ASA, and it translated (NATed or PATed), the ASA first builds a local-host (which is a container for the IP), and then builds an xlate (which is the translation mapping).  The xlate is tied to the local-host.  Next, the ASA builds the connection (which is tied to the xlate and thus the local-host).

Now, here is what is important.  For TCP connections, they are removed after the closing sequence (FINs), or after one side receives a RST, or after the idle TCP timeout expires (by default - 1 hour).  However, the xlate will remain until the following two conditions are both met:

  1. no connections are tied to the xlate
  2. the xlate timer has expired (by default it is 3 hours for NAT, 30 sec for PAT)

Now, if you decided to change a translation mapping, you must first remove the existing mapping, and then replace it with the change.  But, removing the existing nat/static config does NOT remove the translation from the xlate table.  Therefore, if you don't clear that xlate, then it will remain (translating based on the old config) until the conditions above are met.


If you want your config change to take place immediately, then you need to manually clear that translation from the xlate table.  clear xlate will clear ALL translations.  Instead, issue the clear xlate local   command to clear just the translation you are changing.

I hope this helps explain it.  If so, let us know by marking the question as answered.  And if not, then post a follow-up.

Sincerely,

David.

mjsully Fri, 06/25/2010 - 06:01

thanks for that info. It's helpful. I have a few more questions, though.

when does one use "clear local-host" vs "clear xlate"? you didn't mention the use of the clear local-host command

I can't find any reasoning as to why Cisco recommends you do a clear xlate when using some other commands, such as "aaa-server" "access-list", etc. can you speak to that? I'd really like to know why, especially, if I modify an access-list, that they are recommending I do this command.

what happens to active connections (like an FTP transfer) if a global "clear xlate" is used? is it dropped? it sounds like you are suggesting to use the clear xlate local instead of the global clear xlate? the overall belief out there is do simply do a "clear xlate", so I think that it sounds as though that is being done unnecessarily?

and the following cisco website (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml#showxlate) says the following:

  • A static xlate is a persistent xlate that is created with the static command. In order to remove static xlates, you must remove the static command from the configuration. The clear xlate command does not remove the static translation rule. If you remove a static command from the configuration, preexisting connections that use the static rule can still forward traffic. Use the clear local-host command in order to deactivate these connections.

  • A dynamic xlate is an xlate that is created on demand with traffic processing (through the nat or global command). The clear xlate command removes dynamic xlates and their associated connections. If you remove a nat or a global command from the configuration, the dynamic xlate and associated connections might remain active.

  • That still confuses me, and makes me think that if I remove a static, I don't need to do the clear xlate, but only the clear local-host command?

    thanks very much

    pkampana Fri, 06/25/2010 - 11:08


    "clear local-host" clear the host, its xlates, its connections through the ASA. "clear xlate" clears the xlates, ultimately the conns might be torn down, but the command does not do it by itself.

    Lets say you change an ACL, there is a flow that is already established that the ACL change is denying. When you change the ACL all new conns will be subject to the new ACL but existing ones are not. In that case you need a "clear conn" to enforce your ACL change to everything.
    Now if you remove a global, you will do a "clear xlate" again so that you don't use an existing xlate and the new xlate rules is enforced.
    In other words I believe the doc is trying to generalize the command that is suggested when changes are made so that they are eforced and "clear xlate" is chosen for that.

    If you have an ftp session and you clear xlate and the new xlate that is built is the exact same one as the one that existed then the connection should not be dropped unless the devices are doing passive ftp (dns inspection involved).

    You are right that removing a static does not need a clear xlate.

    I believe the doc you are suggesting was just trying to generalize how to enforce changes for nat/acls changes etc and gave one command for it.

    I hope it clarifies it a little.

    PK

    Rodrigo Gurriti Wed, 12/08/2010 - 10:06

    PK,

    I dont know about that: "You are right that removing a static does not need a clear xlate."

    I have a customer that has a FWSM on  4.0 that has modified the TCP intercept configuration on a static:


    static (inside,outside) A.B.C.D E.F.G.H netmask 255.255.255.255

    to

    static (inside,outside) A.B.C.D E.F.G.H netmask 255.255.255.255 0 500

    After about 20 changes like that we did a "sh local-host E.F.G.H

    IPv4 local hosts:

    local host: , tcp conn(s)/limit = 49110/0, embryonic(s)/limit = 0/0 udp conn(s)/limit = 1/0

        Xlate(s):

            Global A.B.C.D Local E.F.G.H

    After an clear xlate local E.F.G.H

    IPv4 local hosts:

    local host: , tcp conn(s)/limit = 1/0, embryonic(s)/limit = 0/500 udp conn(s)/limit = 0/0

        Xlate(s):

            Global A.B.C.D4 Local E.F.G.H


    As shown above I had to do clear xlate on a static !

    Actions

    Login or Register to take actions

    This Discussion

    Posted June 24, 2010 at 4:08 PM
    Stats:
    Replies:4 Avg. Rating:5
    Views:1349 Votes:0
    Shares:0
    Tags: No tags.

    Discussions Leaderboard

    Rank Username Points
    1 7,861
    2 6,140
    3 3,170
    4 1,473
    5 1,446