23-45
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter2 3 Configuring Network Address Translation
NAT Policies on Security Devices
Per-Session NAT Rules: ASA 9.0(1)+
Use the Per-Session NAT Rules page to configure per-session PAT rules on the selected ASA 9.0(1)+
device. By default, all TCP PAT traffic and all UDP DNS traffic uses per-session PAT. You can configure
per-session rules to use multi-session PAT for specific traffic.
Per-Session PAT vs. Multi-Session PAT (Version 9.0(1) and Later)
The per-session PAT feature improves the scalability of PAT and, for clustering, allows each member unit
to own PAT connections; multi-session PAT connections have to be forwarded to and owned by the
master unit. At the end of a per-session PAT session, the ASA sends a reset and immediately removes
the xlate. This reset causes the end node to immediately release the connection, avoiding the
TIME_WAIT state. Multi-session PAT, on the other hand, uses the PAT timeout, by default 30 seconds.
For "hit-and-run" traffic, such as HTTP or HTTPS, the per-session feature can dramatically increase the
connection rate supported by one address. Without the per-session feature, the maximum connection rate
for one address for an IP protocol is approximately 2000 per second. With the per-session feature, the
connection rate for one address for an IP protocol is 65535/average-lifetime.
By default, all TCP traffic and UDP DNS traffic use a per-session PAT xlate. For traffic that can benefit
from multi-session PAT, such as H.323, SIP, or Skinny, you can disable per-session PAT by creating a
per-session deny rule.
Some Features of the Per-Session NAT Rules Table
This Translation Rules table is a standard Security Manager rules table, as described in Using Rules
Tables, page 12-7. For example, you can move, show and hide columns; you can re-order the rules; and
you can right-click certain table cells to edit that parameter.
The NAT rules listed in this table are processed on a first-match basis; therefore, order is important.
Related Topics
Add and Edit Per Session NAT Rule Dialog Boxes, page 23-46
NAT Policies on Security Devices, page 23-15
About “Simplified” NAT on ASA 8.3+ Devices, page 23-3
Standard rules table topics:
Using Rules Tables, page12-7
Filtering Tables, page1-45
Table Columns and Column Heading Features, page1-46
Navigation Path
(Device view) Select NAT > Per-Session NAT Rules from the Device Policy selector.
Perform route lookup for
Destination Interface
If this option is selected, the egress interface is determined using route
look-up instead of using the specified Destination Interface. Be sure
this box is checked for a NAT Exempt rule. This option is supported
only for Static Identity NAT.
Note This option is not available on devices operating in transparent
mode.
Table23-15 Network/Host Dialog Box NAT Tab (Continued)
Element Description