NAT enhancements

There are a few little tricks to improve NAT performance. The first would be translation timeout. Translation timeout returns a translated address back to the pool. The default is 3:00 hours. If you have a smaller pool or find that PAT is being used too much you can adjust this timer. I personally like a smaller timer and depending on the application and/or load use 15 or 20 minute timers.

timeout xlate 1:00:00

The ASDM configuration window resides at Configuration > Firewall > Advanced > Global Timeouts. Modify the Translation Slot field.

The other feature is DNS rewriting. You are able to intercept and rewrite DNS requests that hit the ASA firewall. By default a DNS server may only know the public IP address of but the DNS server has a private IP address. DNS rewrite will allow NAT translation of the IP address inside the DNS reply.

nat (dmz-dns,outside) source static DMZ-DNS-01 OUT-DNS-01 dns

The keyword dns at the end is what initiates the DNS rewrite feature.

The ASDM configuration window resides at Configuration > Firewall > NAT Rules.

This is an extract of my upcoming ASA companion guide. 

Leave a Reply

Your email address will not be published. Required fields are marked *