FWSM Resource Issue - Statics vs Xlates - Need Help
According to Cisco, an entire FWSM blade (across all contexts) can only support 2048 statics. There are also a finite limit of xlates available (though I don't know that number).
We had a customer that was using a large large amount of statics (for identity nat). We did no nat-control and got rid of them. All seemed well. For our contexts we only allow a certain percentage of usage of the FWSM's resources per context. Now we see this customer hitting up against the xlate resources limit.
Is this coincidence? Does removing the configured statics cause the xlates to increase in some way? I thought the same xlate would happen whether you use a static or not.
Can some please help me understand? I just want to see if there is a correlation between the configured identity nat statics being removed and an increase usage in xlate resources.... or is this unrelated?
In this example, originally, when 192.168.1.10 wants to access a device on the outside segment, the IP Address 192.168.1.10 will be translated to 220.127.116.11. Now, that you’ve removed the static command, when 192.168.1.10 wants to access a device on the outside segment, the IP Address 192.168.1.10 will be translated to 18.104.22.168. That means now, everything in 192.168.1.XXX will translate to 22.214.171.124 when accessing a device on the outside segment.
Perhaps, what you need is to enable the “xlate-bypass” command. By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. You can disable NAT sessions for untranslated network traffic, which is called xlate bypass, in order to avoid the maximum NAT session limit. The xlate-bypass command can be configured as shown:
P/S: If you think this comment is useful, please do rate them nicely :-)
Ramraj Sivagnanam Sivajanam
Technical Specialist/Service Delivery Manager – Managed Service Department
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...