NAT Troubleshooting

A few commands can be very useful in troubleshooting and verifying NAT. One of the more common commands is show ip nat translation. With it, you can verify one-to-one mappings as well as port address translation (PAT). If your translations are one-to-one, you only see inside global to inside local mappings. If you use PAT or overloading, you see additional details, such as protocol, ports, and outside addresses. The following example shows the command in use with basic NAT:

 router#show ip nat translation Pro Inside global     Inside local   Outside local  Outside global --- 172.30.0.10       192.168.1.20      ---             --- --- 172.30.0.11       192.168.1.24      ---             --- 

Next is an example with PAT or overloading. Notice that the inside local addresses are different, but the inside global remains the same. The port numbers are used to track the different conversations:

 router#show ip nat translation Pro Inside global       Inside local      Outside local  Outside global tcp 172.30.0.10:917   192.168.1.20:917     10.1.1.2:23    10.1.1.2:23 tcp 172.30.0.10:713   192.168.1.25:713     10.1.1.3:23    10.1.1.3:23 

The next command is show ip nat statistics, which displays the number and type of active translations. The key word there is active; as translations are added or terminated, the statistics increment or decrement appropriately. It also shows you the number of times a translation appears in the table (a hit) or whether a new entry needs to be built (a miss). Here is a sample output from the show ip nat statistics command:

 router#show ip nat statistics  Total active translations: 1 (1 static, 0 dynamic; 0 extended)  Outside interfaces:  Ethernet0, Serial2.5  Inside interfaces:  Ethernet1  Hits: 5  Misses: 0  Expired translations: 0  Dynamic mappings:  -- Inside Source  access-list 1 pool small-range refcount 0  pool small-range: netmask 255.255.255.0  start 172.30.1.5 end 172.30.1.25  type generic, total addresses 2, allocated 0 (0%), misses 0 

You can use the clear ip nat translation command in a number of different ways: with a * to clear all translations or with inside or outside to clear all translations to a specific inside or outside address. You can be as granular as you need by getting all the way down to the protocol and port level using the protocol and port options. Being specific allows you to leave current translations active while dropping the ones you want.

There is also a debug command that has one option, debug ip nat or debug ip nat detailed. With the detailed option, you get additional information about active NAT sessions such as protocols and ports. Without detailed, you only see basic translation entries being built. As with most debugging commands, you only want to use them for troubleshooting and verification; turn them off as soon as possible so you don't affect the performance of the router. Here is output of the debug ip nat command during two ping packets and their responses:

 NAT: s=192.168.1.1->172.30.1.1, d=172.30.1.10 [0] NAT: s=172.30.1.10, d=172.30.1.1->192.168.1.1 [0] NAT: s=192.168.1.1->172.30.1.1, d=172.30.1.10 [1] NAT: s=172.30.1.10, d=172.30.1.1->192.168.1.1 [1] 


CCNP BCRAN Remote Access Exam Cram 2 (Exam Cram 640 - XXX)
CCNP BCRAN Remote Access Exam Cram 2 (Exam Cram 640 - XXX)
ISBN: N/A
EAN: N/A
Year: 2003
Pages: 183

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net