Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : Cisco IOS : Checking NAT Status

Checking NAT Status

Jul 21,2008 by admin

small font medium font large font
image

Checking NAT Status

Problem

You want to see the current NAT information.

Solution

There are several useful EXEC commands for checking the status of NAT on a router. You can view the NAT translation table by using the following command:

Router#show ip nat translation

You can clear all or part of the NAT translation table by specifying either a * or a particular address. To clear a specific entry, you must specify either the global address for a device that is inside, or a local address for a device that is outside:

Router#clear ip nat translation *
Router#clear ip nat translation inside 172.18.3.2
Router#clear ip nat translation outside 192.168.1.10

You will often want to look at NAT statistics, including information on which interfaces use NAT, how many entries are in the NAT table, how often they have been used, and, most importantly, how often packets have bypassed NAT. The command to see this is show ip nat statistics:

Router#show ip nat statistics

And you can clear these statistics as follows:

Router#clear ip nat statistics

Discussion

The NAT translation table contains information about every translation that the router is currently tracking. In this example, you can see that there have been two connections between the interior device 192.168.1.10 and the exterior device 172.18.3.2. The first of these connections is shown as ICMP: 

Router#show ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
icmp 172.16.1.100:21776 192.168.1.10:21776 172.18.3.2:21776  172.18.3.2:21776
tcp 172.16.1.100:1029  192.168.1.10:1029  172.18.3.2:23      172.18.3.2:23
--- 172.16.1.10        192.168.1.15       ---                ---
--- 172.16.1.11        192.168.1.16       ---                ---
Router#

This command shows only the currently active NAT table entries. You can see, for example, that it translates the inside local address 192.168.1.10 to the inside global address 172.16.1.100. But this router isn't configured to translate outside addresses, so the outside local address is the same as the outside global addresses. As we discussed in Recipe 21.10, the router removes dynamic NAT entries after a defined period of time. For example, by default the router will delete NAT entries for TCP connections after 24 hours.

The output has five columns. The first is the protocol. This column is blank unless you use the overload option in your NAT configuration. The "Inside global" address column is the translated address of an internal device. The "Inside local" column, on the other hand, shows the real internal address for the same device. The "Outside local" column shows the translated addresses of external devices, while "Outside global" shows their real addresses.

This can be a little bit confusing at first sight. The real address on the inside is "local," and the translated address is "global," while the real address on the outside is "global," and it is translated to a "local" address. You can resolve this confusion by remembering that global addresses are always on the outside, and local addresses are on the inside.

The last two rows represent simple static NAT entries. It shows, for example, that the internal device whose real address is 192.168.1.15 is translated to 172.16.1.10 when its packets pass through this router. There are no external addresses listed for this entry. Because it is a static entry, this translation is the same for any external device. However, the row immediately above this one shows all four entries:

tcp 172.16.1.100:1029  192.168.1.10:1029  172.18.3.2:23      172.18.3.2:23

This line includes a lot of useful information. The first column indicates that this row represents a TCP connection, and that the translation is a dynamic entry. On the inside, the source address is 192.168.1.10, and the source TCP port it 1029, while the destination is 172.18.3.2, and the destination port is 23. On the outside, the destination address and port are the same, but the source address is rewritten as 172.16.1.100, and the source port is 1029.

The verbose keyword makes this command show age information about each table entry: 

Router#show ip nat translation verbose
Pro Inside global      Inside local       Outside local      Outside global
icmp 172.16.1.100:21776 192.168.1.10:21776 172.18.3.2:21776  172.18.3.2:21776
192.168.3.2:4235
    create 00:00:36, use 00:00:36, left 00:00:23, flags: extended
tcp 172.16.1.100:1029  192.168.1.10:1029  172.18.3.2:23      172.18.3.2:23
    create 00:00:15, use 00:00:13, left 00:00:46, flags: extended, timing-out
--- 172.16.1.10        192.168.1.15       ---                ---
    create 1d00h, use 00:23:08, flags: static
--- 172.16.1.11        192.168.1.16       ---                ---
    create 1d00h, use 00:15:28, flags: static
Router#

This level of detail is most useful when you are trying to diagnose NAT table timeout issues.

The show ip nat statistics command includes useful information about the translation configuration. The following example shows one external and two internal interfaces, with a dynamic NAT pool that runs from 172.16.1.100 to 172.16.1.150:

Router#show ip nat statistics
Total active translations: 3 (2 static, 1 dynamic; 1 extended)
Outside interfaces:
  Ethernet0/0
Inside interfaces:
  FastEthernet0/0, FastEthernet0/1
Hits: 2628  Misses: 44
Expired translations: 37
Dynamic mappings:
-- Inside Source
access-list 15 pool NATPOOL refcount 1
 pool NATPOOL: netmask 255.255.255.0
        start 172.16.1.100 end 172.16.1.150
        type generic, total addresses 2, allocated 1 (50%), misses 9
Router#

The Hits field shows the total number of times that the router has had to create new translation table entries. The Misses field counts the exceptions. In this case, there is an access-list that excludes certain internal IP addresses


403 times read

Related news
» Verifying and Troubleshooting the NAT Configuration
by alperen posted on Nov 27,2008
» Commands to Clear the NAT Table
by alperen posted on Nov 27,2008
» Dynamic NAT with Overloading (PAT)
by alperen posted on Sep 09,2009
» load distribution steps
by alperen posted on Nov 27,2008
» NAT Terminology
by alperen posted on Nov 27,2008
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.