Translation (xlate) and Connection (conn) Tables

Translation ( xlate ) and Connection (conn) Tables

The PIX uses two main tables to track the traffic flowing through the system: the translation (xlate) table and the connection (conn) table. The translation table is used for IP address-to-IP address mapping and is commonly known as the xlate table. For example, as data from Jack travels across the firewall, his source address of is changed to These entries are sometimes called slots .


xlate table entries remain in the table for 180 minutes by default. You can use the timeout xlate command to change this setting.

The connection table contains layer 4 TCP or UDP sessions and is used to track with whom Jack has a current session. For example, as Jack sends data to Peter, a connection is made in the xlate table that represents the session generated between the two. After the two have finished sending data, the connection entry is automatically removed. Listing 5.1 shows the xlate and conn commands.

Listing 5.1 The show xlate and show conn Commands
 Pixfirewall# show xlate 1 in use, 53 most used PAT Global Local Pixfirewall# Pixfirewall# show conn 1 in use, 5 most used TCP out in idle 0:00:03 Bytes 334 Pixfirewall# 

Listing 5.1 shows that the local address (Jack) is being translated to The show conn command shows that a TCP session exists between (Jack) and IP address

Step-by-Step Flow

The following demonstrates the step-by-step flow that occurs as Jack's computer connects to Peter's computer through the PIX firewall:

  1. Jack wants to connect to Peter's computer, and the xlate slot is made for Jack to travel through the PIX. His IP address of is translated to

  2. Jack opens a connection (SYN) with Peter (IP address

  3. The session between Jack and Peter is recorded in the conn table and the data is ready to be sent.

  4. Jack and Peter send data back and forth.

  5. The conn table entry is removed when either the TCP FIN message is seen or the conn timer expires .

Note that the xlate slot is not removed yet; if Jack wants to communicate with Peter or another computer, the xlate slot for to is reused. In Figure 5.2 Jack's computer is connecting to four Web servers on the Internet and the PIX is using NAT to translate addresses. The xlate table shows a single entry for the translation, and the conn table displays the four TCP sessions created to each Web site. Figure 5.2 displays Jack's xlate and connection information.

Figure 5.2. xlate and conn tables.



Whenever you make changes using the access-lists , alias, global, interface, ip address, nameif , nat, outbound , or static command, you should clear the xlate table using the clear xlate command.

The show and clear xlate Table Commands

The xlate command has several parameters that can be used with it. When using the xlate by itself, you display or clear the entire table. The parameters give you the granularity to work with only a few entries or groups of entries. The following is the xlate command's syntax:

 showclear xlate [globallocal <ip1[-ip2]> [netmask <mask>]]                 [gport lport <port1[-port2]>]                 [interface <if1[,if2]>]                 [state <static[,portmap][,norandomseq][,identity]>]                 [debug]                 [count] 

Table 5.1 displays several xlate commands and their descriptions.

Table 5.1. xlate Commands



show xlate

Displays the contents of the xlate table

show xlate detail

Displays more detail about the entries in the table

show xlate state static

Displays only the static entries in the xlate table

show xlate count

Displays the current entries being used and the most frequently used ones

clear xlate

Clears the entire table

clear xlate state static

Clears only the static mappings in the table

The show conn Table Commands

The conn command is very similar to the xlate command; you can view or affect the entire table or just a subset of its entries. Remember that the connection table is used to monitor and control the sessions between two computers. Therefore, the parameters for the conn command include things such as FIN, TCP, and UDP. The command syntax is as follows :

 show conn [count]  [protocol <tcpudp>]         [foreignlocal <ip1[-ip2]> [netmask <mask>]]         [lportfport <port1[-port2>]         [state <up[,finin][,finout][,http_get][,smtp_data]                 [,data_in][,data_out][,...]>] 
Table 5.2. conn Commands



show conn

Displays the entire contents of the connection table

show conn detail

Displays detailed information about each connection entry

show conn protocol udp

Displays only the UDP traffic connection table entries

CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218 © 2008-2017.
If you may any questions please contact us: