Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member


I found this paragraph on the FWSM configuration guide 3.2:

NAT Bypass No Longer Creates NAT Sessions

In previous releases, even if you used NAT exemption or identity NAT, the FWSM created NAT sessions (xlates) for all flows. In Release 3.2, you can configure the FWSM to create xlates only when NAT is configured. By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. For example, a session is created for each untranslated connection even if you do not enable NAT control, you use NAT exemption or identity NAT, or you use same security interfaces and do not

configure NAT. Because there is a maximum number of NAT sessions, these kinds of NAT sessions might cause you to run into the limit.

What I understand is that for any flow, a xlate is built.

Now, taking a look on the FWSM data sheet:

? 1 million concurrent connections

? 256,000 concurrent NAT or PAT translations

This doesn't make sense to me because one translations correspond to connection, unless a flow includes several connections.

New Member

Re: FWSM NAT Bypass


Starting with FWSM 3.2 we no longer create xlate entries with NAT 0 (if configured so). So one connection no longer has to equal one xlate.

Keep in mind that one to one translations will create one xlate entry but up to 65000 conns can use that single xlate.