A few commands can be very useful in troubleshooting and verifying NAT. One of the more common commands is show ip nat translation. With it, you can verify one-to-one mappings as well as port address translation (PAT). If your translations are one-to-one, you only see inside global to inside local mappings. If you use PAT or overloading, you see additional details, such as protocol, ports, and outside addresses. The following example shows the command in use with basic NAT: router#show ip nat translation Pro Inside global Inside local Outside local Outside global --- 172.30.0.10 192.168.1.20 --- --- --- 172.30.0.11 192.168.1.24 --- --- Next is an example with PAT or overloading. Notice that the inside local addresses are different, but the inside global remains the same. The port numbers are used to track the different conversations: router#show ip nat translation Pro Inside global Inside local Outside local Outside global tcp 172.30.0.10:917 192.168.1.20:917 10.1.1.2:23 10.1.1.2:23 tcp 172.30.0.10:713 192.168.1.25:713 10.1.1.3:23 10.1.1.3:23 The next command is show ip nat statistics, which displays the number and type of active translations. The key word there is active; as translations are added or terminated, the statistics increment or decrement appropriately. It also shows you the number of times a translation appears in the table (a hit) or whether a new entry needs to be built (a miss). Here is a sample output from the show ip nat statistics command: router#show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: Ethernet0, Serial2.5 Inside interfaces: Ethernet1 Hits: 5 Misses: 0 Expired translations: 0 Dynamic mappings: -- Inside Source access-list 1 pool small-range refcount 0 pool small-range: netmask 255.255.255.0 start 172.30.1.5 end 172.30.1.25 type generic, total addresses 2, allocated 0 (0%), misses 0 You can use the clear ip nat translation command in a number of different ways: with a * to clear all translations or with inside or outside to clear all translations to a specific inside or outside address. You can be as granular as you need by getting all the way down to the protocol and port level using the protocol and port options. Being specific allows you to leave current translations active while dropping the ones you want. There is also a debug command that has one option, debug ip nat or debug ip nat detailed. With the detailed option, you get additional information about active NAT sessions such as protocols and ports. Without detailed, you only see basic translation entries being built. As with most debugging commands, you only want to use them for troubleshooting and verification; turn them off as soon as possible so you don't affect the performance of the router. Here is output of the debug ip nat command during two ping packets and their responses: NAT: s=192.168.1.1->172.30.1.1, d=172.30.1.10 [0] NAT: s=172.30.1.10, d=172.30.1.1->192.168.1.1 [0] NAT: s=192.168.1.1->172.30.1.1, d=172.30.1.10 [1] NAT: s=172.30.1.10, d=172.30.1.1->192.168.1.1 [1] |