Cisco ASA Connections and Translations

The Cisco ASA 5500 Firewall Appliance is a stateful firewall device, meaning that for every connection passing through the device, the stateful mechanism keeps a record of all connection states and parameters. It does this in order to check return inbound packets if they belong to an already established connection and let them in.

A connection is a state entry of source IP/source port and destination IP/destination port. For example a connection in the firewall is an entry with source IP and source port 1025 and destination IP with destination port 80. This connections belongs to an internal PC accessing a public web server.

A translation is an entry of a source IP and its mapped translated IP. A translation entry results from a NAT rule configured in the firewall.

We can see connection entries using “show conn”. We can see translation entries using “show xlate”.

You can find an excellent description about connections and translations on the Unofficial Cisco ASA Blog