×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

xlate count and connection count

Unanswered Question
Mar 9th, 2012
User Badges:

Can a firewall show more XLATE created than CONNECTIONS?


Is that theoretically possible to have more XLATEs than the total number of connections?. the reason I am asking, that assuming a Cisco 5510 has have maximum 130,000 total connections, however xlate limit on an ASA is considered as UNLIMITED.


I am designing a large network having multiple CIsco ASAs deployed as multi context mode to cater various networks inside the organization. I want to create proper resources per class. So far Xlate count vs. connection count is not very clear.. I tried putting a very large value for xlate and the firewall accepted it, and still showed the total percentage as 0%


Xlates           default          all      CA  unlimited                     

                 123                2       C 2147483647 4294967294      0.00%

                 All Contexts:      3                    4294967294      0.00%



Whereas connection count is shown as

Conns            default          all      CA  unlimited                     

                 123                2       C      65000     130000    100.00%

                 All Contexts:      3                        130000    100.00%


Any help is highly appreciated.


Thank you,

FNK    

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mirober2 Sat, 03/24/2012 - 09:16
User Badges:
  • Cisco Employee,

Hi Fawad,


Yes, this is possible. Keep in mind that the ASA immediately builds an xlate for any static NAT you have configured. Therefore, even with 0 connections on the box, the ASA can still have existing idle xlates (in the case of static NAT).


-Mike

patrick.preuss Sat, 03/24/2012 - 13:01
User Badges:
  • Bronze, 100 points or more

Hi


as far as i remember xlate is nat (regardless if it is static or not)

and on the IOS systems it is the same, static entries are in the table.


connections are actual session in the packetfilter/firewall sessions this is a differnet operation.


Patrick

Actions

This Discussion