Previous section   Next section

Recipe 21.9 Checking NAT Status

21.9.1 Problem

You want to see the current NAT information.

21.9.2 Solution

There are several useful EXEC commands for checking the status of NAT on a router. You can view the NAT translation table using the following command:

Router#show ip nat translation

You can clear all or part of the NAT translation table by specifying either an asterisk (*) or a particular address. To clear a specific entry, you must specify either the global address for a device that is inside, or a local address for a device that is outside:

Router#clear ip nat translation *
Router#clear ip nat translation inside 172.18.3.2
Router#clear ip nat translation outside 192.168.1.10

You will often want to look at NAT statistics, including information on which interfaces use NAT, how many entries are in the NAT table, how often they have been used, and, most importantly, how often packets have bypassed NAT. The command to see this is show ip nat statistics:

Router#show ip nat statistics

You can clear these statistics as follows:

Router#clear ip nat statistics

21.9.3 Discussion

The NAT translation table contains information about every translation that the router is currently tracking. In this example, there have been two connections between the interior (192.168.1.10) and exterior (172.18.3.2) device. The first of these connections is shown as ICMP:

Router#show ip nat translation
Pro Inside global       Inside local        Outside local      Outside global
icmp 172.16.1.100:21776 192.168.1.10:21776  172.18.3.2:21776   172.18.3.2:21776
tcp 172.16.1.100:1029   192.168.1.10:1029   172.18.3.2:23      172.18.3.2:23
--- 172.16.1.10         192.168.1.15        ---                ---
--- 172.16.1.11         192.168.1.16        ---                ---
Router#

This command shows only the currently active NAT table entries. You can see, for example, that it translates the inside local address 192.168.1.10 to the inside global address 172.16.1.100. But this router isn't configured to translate outside addresses, so the outside local addresses are the same as the outside global addresses. As discussed in Recipe 21.7, the router removes dynamic NAT entries after a defined period of time. By default, the router will delete NAT entries for TCP connections after 24 hours.

The output has five columns. The first is the protocol. This column is blank unless you use the overload option in your NAT configuration. The "Inside global" address column is the translated address of an internal device. The "Inside local" column, on the other hand, shows the real internal address for the same device. The "Outside local" column shows the translated addresses of external devices, while "Outside global" shows their real addresses.

This can be a little bit confusing at first sight. The real address on the inside is "local," and the translated address is "global," while the real address on the outside is "global," and it is translated to a "local" address. You can resolve this confusion by remembering that global addresses are always on the outside, and local addresses are always on the inside.

The last two rows represent simple static NAT entries. It shows, for example, that the internal device whose real address is 192.168.1.15 is translated to 172.16.1.10 when its packets pass through this router. There are no external addresses listed for this entry. Because it is a static entry, this translation is the same for any external device. However, the row immediately above this one shows all four entries:

tcp 172.16.1.100:1029  192.168.1.10:1029  172.18.3.2:23      172.18.3.2:23

This line includes a lot of useful information. The first column indicates that this row represents a TCP connection, and that the translation is a dynamic entry. On the inside, the source address is 192.168.1.10 and the source TCP port is 1029, while the destination is 172.18.3.2 and the destination port is 23. On the outside, the destination address and port are the same, but the source address is rewritten as 172.16.1.100 and the source port is 1029.

The verbose keyword makes this command show age information about each table entry:

Router#show ip nat translation verbose
Pro Inside global       Inside local         Outside local      Outside global
icmp 172.16.1.100:21776 192.168.1.10:21776   172.18.3.2:21776   172.18.3.2:21776
192.168.3.2:4235
    create 00:00:36, use 00:00:36, left 00:00:23, flags: extended
tcp 172.16.1.100:1029  192.168.1.10:1029  172.18.3.2:23      172.18.3.2:23
    create 00:00:15, use 00:00:13, left 00:00:46, flags: extended, timing-out
--- 172.16.1.10        192.168.1.15       ---                ---
    create 1d00h, use 00:23:08, flags: static
--- 172.16.1.11        192.168.1.16       ---                ---
    create 1d00h, use 00:15:28, flags: static
Router#

This level of detail is most useful when you are trying to diagnose NAT table timeout issues.

The show ip nat statistics command includes useful information about the translation configuration. The following example shows one external and two internal interfaces, with a dynamic NAT pool that runs from 172.16.1.100 to 172.16.1.150:

Router#show ip nat statistics
Total active translations: 3 (2 static, 1 dynamic; 1 extended)
Outside interfaces:
  Ethernet0/0
Inside interfaces:
  FastEthernet0/0, FastEthernet0/1
Hits: 2628  Misses: 44
Expired translations: 37
Dynamic mappings:
-- Inside Source
access-list 15 pool NATPOOL refcount 1
 pool NATPOOL: netmask 255.255.255.0
        start 172.16.1.100 end 172.16.1.150
        type generic, total addresses 2, allocated 1 (50%), misses 9
Router#

The "Hits" field shows the total number of times that the router has had to create new translation table entries. The "Misses" field counts the exceptions. In this case, there is an access list that excludes certain internal IP addresses.


  Previous section   Next section
Top