Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member


I found this paragraph on the FWSM configuration guide 3.2:

NAT Bypass No Longer Creates NAT Sessions

In previous releases, even if you used NAT exemption or identity NAT, the FWSM created NAT sessions (xlates) for all flows.

In Release 3.2, you can configure the FWSM to create xlates only when NAT is configured. By default, the FWSM creates NAT

sessions for all connections even if you do not use NAT. For example, a session is created for each untranslated connection

even if you do not enable NAT control, you use NAT exemption or identity NAT, or you use same security interfaces and do not

configure NAT. Because there is a maximum number of NAT sessions, these kinds of NAT sessions might cause you to run into the


What I understand is that for any flow, a xlate is built.

Now, taking a look on the FWSM data sheet:

? 1 million concurrent connections

? 256,000 concurrent NAT or PAT translations

This doesn't make sense to me because one translations correspond to connection, unless a flow includes several connections.

  • Firewalling
New Member

Re: FWSM NAT Bypass

Translations and connections are different. You can multiple connections in 1 translation.


You have IP translated to and that host has connections to a Web server, an FTP server and an SMTP. Each server is a different host, which will give you connections to ports 80, 21 and 25.

This widget could not be displayed.