Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FWSM NAT Bypass

I found this paragraph on the FWSM configuration guide 3.2:

NAT Bypass No Longer Creates NAT Sessions

In previous releases, even if you used NAT exemption or identity NAT, the FWSM created NAT sessions (xlates) for all flows.

In Release 3.2, you can configure the FWSM to create xlates only when NAT is configured. By default, the FWSM creates NAT

sessions for all connections even if you do not use NAT. For example, a session is created for each untranslated connection

even if you do not enable NAT control, you use NAT exemption or identity NAT, or you use same security interfaces and do not

configure NAT. Because there is a maximum number of NAT sessions, these kinds of NAT sessions might cause you to run into the

limit.

What I understand is that for any flow, a xlate is built.

Now, taking a look on the FWSM data sheet:

? 1 million concurrent connections

? 256,000 concurrent NAT or PAT translations

This doesn't make sense to me because one translations correspond to connection, unless a flow includes several connections.

  • Firewalling
1 REPLY
New Member

Re: FWSM NAT Bypass

Translations and connections are different. You can multiple connections in 1 translation.

i.e.

You have IP 10.10.10.1 translated to 161.200.13.100 and that host has connections to a Web server, an FTP server and an SMTP. Each server is a different host, which will give you connections to ports 80, 21 and 25.

138
Views
0
Helpful
1
Replies
This widget could not be displayed.