Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
999
Views
0
Helpful
5
Replies

conn vs xlate

aksher
Level 1
Level 1

‎06-14-2006 01:56 PM - edited ‎03-09-2019 03:15 PM

is conn always dependent on xlate tht's as long conn is there xalte will be there

Labels:
0 Helpful
5 Replies 5

a.kiprawih
Level 7
Level 7

‎06-15-2006 12:11 AM

Hi,

Conn exists when there is a communication (via xlate) established between hosts from diffrent

firewall segments.This is possible/permitted via address translation configuration.

Use 'show xlate' to view address translation session/table.

One xlate session allows more than one connection (conn) to establish.

Conn will be there as long as address translation (or xlate) exists. This is why when you issue 'clear xlate' command, all connections will be terminated.

When you issue 'show conn' command, you might see more than one connection is established between two hosts (depending on services allowed).

Rgds,

AK

0 Helpful

aksher
Level 1
Level 1
In response to a.kiprawih

‎06-15-2006 03:39 PM

5 used , 10 most used means

5 are currently translated and 10 alreaday translated?

0 Helpful

a.kiprawih
Level 7
Level 7
In response to aksher

‎06-16-2006 04:17 AM

It did not refers to address translation but established connection after address translation permitted by Firewall.

5 used = currently connection

10 most used = maximum connection ever recorded

e.g if at certain time maximum conn is 100, then when you issue the 'show conn' command you have 20 active connection, you'll see something like "20 used, 100 most used".

BTW, the 'conn' refers to TCP connection only.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a008042c8b7.html#wp1026157

Rgds,

AK

0 Helpful

aksher
Level 1
Level 1
In response to a.kiprawih

‎06-16-2006 11:31 AM

but what if comes on sh xlate

0 used 0 most used

but still i am able to see connections when i give sh conn

0 Helpful

sachinverma
Level 1
Level 1

‎06-15-2006 12:56 AM

Hi,

When using dynamic translation with a pool(non-overload) the 'xlate' is the pairing of an inside local address with an inside global address. Once this has been created, actual 'conn[ections]' are created for the unique inside IP/port to outside IP/port.Static translations have a permanent 'xlate' but still generate a 'conn'for each flow to/from the outside.

Look at the logs for 'xlate' versus 'connection' entries and you will see the difference.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents