Cisco ASA Per-Session vs Multi-Session PAT

Hello Erik

A clarification on my previous post. Multi-session PAT is the default on Cisco ASA devices before version 9.x, because it was the only type of PAT available. On ASA 9.x and later, Per-session PAT is enabled by default.

Now in order to disable per-session PAT and enable multi-session PAT, you will have to use the following commands (as stated in the lesson):

ASA1(config)# no xlate per-session permit tcp any4 any4
ASA1(config)# xlate per-session deny tcp any4 any4

Remember that a permit rule uses per-session PAT, and a deny rule uses multi-session PAT. So in the above example, per-session PAT is disabled for everything and multi-session is enabled for everything. If you want to do this selectively for SIP for example, you can use the following command:

xlate per-session deny tcp any4 any4 eq 5060

This will enable multi-session PAT for any TCP communication with a destination port of 5060, which is the port used for unencrypted SIP signalling. You can further specify sessions by indicating source and destination IP addresses, other transport layer protocols or source and destination ports.

More information on this command can be found here:

I hope this has been helpful!

Laz

4 Likes