Checking NAT Status

Problem

You want to see the current NAT information.

Solution

There are several useful EXEC commands for checking the status of NAT on a router. You can view the NAT translation table by using the following command:

Router#show ip nat translation

You can clear all or part of the NAT translation table by specifying either a * or a particular address. To clear a specific entry, you must specify either the global address for a device that is inside, or a local address for a device that is outside:

Router#clear ip nat translation *
Router#clear ip nat translation inside 172.18.3.2
Router#clear ip nat translation outside 192.168.1.10

You will often want to look at NAT statistics, including information on which interfaces use NAT, how many entries are in the NAT table, how often they have been used, and, most importantly, how often packets have bypassed NAT. The command to see this is show ip nat statistics:

Router#show ip nat statistics

And you can clear these statistics as follows:

Router#clear ip nat statistics

 

Discussion

The NAT translation table contains information about every translation that the router is currently tracking. In this example, you can see that there have been two connections between the interior device 192.168.1.10 and the exterior device 172.18.3.2. The first of these connections is shown as ICMP:

Router#show ip nat translation
Pro Inside global Inside local Outside local Outside global
icmp 172.16.1.100:21776 192.168.1.10:21776 172.18.3.2:21776 172.18.3.2:21776
tcp 172.16.1.100:1029 192.168.1.10:1029 172.18.3.2:23 172.18.3.2:23
--- 172.16.1.10 192.168.1.15 --- ---
--- 172.16.1.11 192.168.1.16 --- ---
Router#

This command shows only the currently active NAT table entries. You can see, for example, that it translates the inside local address 192.168.1.10 to the inside global address 172.16.1.100. But this router isn't configured to translate outside addresses, so the outside local address is the same as the outside global addresses. As we discussed in Recipe 21.10, the router removes dynamic NAT entries after a defined period of time. For example, by default the router will delete NAT entries for TCP connections after 24 hours.

The output has five columns. The first is the protocol. This column is blank unless you use the overload option in your NAT configuration. The "Inside global" address column is the translated address of an internal device. The "Inside local" column, on the other hand, shows the real internal address for the same device. The "Outside local" column shows the translated addresses of external devices, while "Outside global" shows their real addresses.

This can be a little bit confusing at first sight. The real address on the inside is "local," and the translated address is "global," while the real address on the outside is "global," and it is translated to a "local" address. You can resolve this confusion by remembering that global addresses are always on the outside, and local addresses are on the inside.

The last two rows represent simple static NAT entries. It shows, for example, that the internal device whose real address is 192.168.1.15 is translated to 172.16.1.10 when its packets pass through this router. There are no external addresses listed for this entry. Because it is a static entry, this translation is the same for any external device. However, the row immediately above this one shows all four entries:

tcp 172.16.1.100:1029 192.168.1.10:1029 172.18.3.2:23 172.18.3.2:23

This line includes a lot of useful information. The first column indicates that this row represents a TCP connection, and that the translation is a dynamic entry. On the inside, the source address is 192.168.1.10, and the source TCP port it 1029, while the destination is 172.18.3.2, and the destination port is 23. On the outside, the destination address and port are the same, but the source address is rewritten as 172.16.1.100, and the source port is 1029.

The verbose keyword makes this command show age information about each table entry:

Router#show ip nat translation verbose
Pro Inside global Inside local Outside local Outside global
icmp 172.16.1.100:21776 192.168.1.10:21776 172.18.3.2:21776 172.18.3.2:21776
192.168.3.2:4235
 create 00:00:36, use 00:00:36, left 00:00:23, flags: extended
tcp 172.16.1.100:1029 192.168.1.10:1029 172.18.3.2:23 172.18.3.2:23
 create 00:00:15, use 00:00:13, left 00:00:46, flags: extended, timing-out
--- 172.16.1.10 192.168.1.15 --- ---
 create 1d00h, use 00:23:08, flags: static
--- 172.16.1.11 192.168.1.16 --- ---
 create 1d00h, use 00:15:28, flags: static
Router#

This level of detail is most useful when you are trying to diagnose NAT table timeout issues.

The show ip nat statistics command includes useful information about the translation configuration. The following example shows one external and two internal interfaces, with a dynamic NAT pool that runs from 172.16.1.100 to 172.16.1.150:

Router#show ip nat statistics
Total active translations: 3 (2 static, 1 dynamic; 1 extended)
Outside interfaces:
 Ethernet0/0
Inside interfaces:
 FastEthernet0/0, FastEthernet0/1
Hits: 2628 Misses: 44
Expired translations: 37
Dynamic mappings:
-- Inside Source
access-list 15 pool NATPOOL refcount 1
 pool NATPOOL: netmask 255.255.255.0
 start 172.16.1.100 end 172.16.1.150
 type generic, total addresses 2, allocated 1 (50%), misses 9
Router#

The Hits field shows the total number of times that the router has had to create new translation table entries. The Misses field counts the exceptions. In this case, there is an access-list that excludes certain internal IP addresses.

Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index



Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net