If you change an access list, change NAT, or do anything else that can alter
which packets are allowed to flow through the firewall, you may not see
the results until you execute the
Xlate is short for translation. A translation
is created for every conversation that is active on the ASA. To see which
xlates are active on your ASA, use the
show xlate4 in use, 4 most used Global 10.0.0.10 Local 192.168.1.10 Global 10.0.0.11 Local 192.168.1.11 PAT Global 10.0.0.6(80) Local 192.168.1.6(80) PAT Global 10.0.0.6(443) Local 192.168.1.7(443)
PAT Global entries are live
connections from my PC to the Web. I had a download running through a web
browser, plus a few web pages open. The last entry is a static translation
resulting from the static configuration entered earlier.
To clear xlates, use the
When you clear xlates, every session on the firewall will be broken and will need to be rebuilt. If your ASA is protecting an ecommerce website, transactions will be broken and customers may become unhappy. You should not clear xlates unless there is a valid reason.
clear xlate command
runs with no fanfare on the ASA, every connection will be cleared. My IM
client reset, and the download I had running aborted as a result of the
xlates being cleared.
Another useful command for troubleshooting is
show conn, which shows
all of the active connections on the ASA:
sho conn ...