Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Understanding Identity Nat

All,

I hope someone can clear this. I've read in my SNPA 5.0 course that Identity Nat 0 does not translate and does not use a translation slot.

But in chapter 12 of the FWSM config manual, it states NAT sessions are created for Identity Nat (with or without Nat Control).

If both sources are referring to the same thing, then the two statements above seem to contradict. Can someone please clear this up?

Thanks

4 REPLIES
Cisco Employee

Re: Understanding Identity Nat

On the FWSM, in versions prior to 3.2, we will build XLATES for nat 0. In later version of 3.2 you can enable xlate bypass to stop the firewall from building those kind of translations.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/uw.html#wp1306953

From that page:

"By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. For example, a session is created for each untranslated connection even if you do not enable NAT control, you use NAT exemption or identity NAT, or you use same security interfaces and do not configure NAT. Because there is a maximum number of NAT sessions (see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide), these kinds of NAT sessions might cause you to run into the limit.

To avoid running into the limit, you can disable NAT sessions for untranslated traffic using the xlate-bypass command. If you disable NAT control and have untranslated traffic or use NAT exemption, or you enable NAT control (using the nat-control command) and use NAT exemption, then with xlate bypass, the FWSM does not create a session for these types of untranslated traffic. NAT sessions are still created in the following instances:

•You configure identity NAT (with or without NAT control). Identity NAT is considered to be a translation.

•You use same-security interfaces with NAT control. Traffic between same security interfaces create NAT sessions even when you do not configure NAT for the traffic. To avoid NAT sessions in this case, disable NAT control or use NAT exemption as well as xlate bypass. "

[Rate if useful. Thanks!]

New Member

Re: Understanding Identity Nat

Mamorten,

In the configuration guide of the FWSM 3.2, it looks like that "identity NAT" will create XLATES with or without NAT control even if you use xlate bypass with it.

Case in point, "You configure identity NAT (with or without NAT control). Identity NAT is considered to be a translation. "

But it seems that the FWSM 3.2 configuration guide contradicts what is written in the SNPA 5.0 course which states that Identity Nat 0 does not translate and does not use a translation slot.

Which text is correct?

Cisco Employee

Re: Understanding Identity Nat

I think the SNPA book is wrong since I have seen NAT0 build xlates with my own eyes...

New Member

Re: Understanding Identity Nat

Yes,

I believe the SNPA course is wrong about this topic.

To clarify the second point, the FWSM 3.2 configuration guide says that "Identity NAT" will always create xlates even if you use xlate bypass. Is that true?

1500
Views
10
Helpful
4
Replies