Chapter 16. Using Hot Standby Routing Protocol (HSRP)

The "Big show" and "Big D" for NAT

The "big show " commands for NAT are show ip nat translations for detailed NAT table listings and show ip nat statistics for a broader view of the translations occurring on the router.

The show ip nat translations command displays all NAT translations on the router. It lists the protocol, along with the inside and outside global and local translations. Example 15-8 demonstrates the use of the command from the previous Easy IP model. This example shows two workstations, 172.16.1.10 and 172.16.1.11, accessing two hosts on the Internet, using the same inside local address, 206.191.194.42. The address 206.191.194.42 was the address assigned dynamically from the ISP when you connected.

Example 15-8 show ip nat translations Command Output

 easyip_router#  show ip nat translations  Pro Inside global      Inside local       Outside local      Outside global tcp 206.191.194.42:1169 172.16.1.10:1169  198.133.219.25:80  198.133.219.25:80 tcp 206.191.194.42:1168 172.16.1.10:1168  198.133.219.25:80  198.133.219.25:80 tcp 206.191.194.42:1171 172.16.1.10:1171  198.133.219.25:80  198.133.219.25:80 tcp 206.191.194.42:1170 172.16.1.10:1170  198.133.219.25:80  198.133.219.25:80 tcp 206.191.194.42:1173 172.16.1.10:1173  198.133.219.25:80  198.133.219.25:80 tcp 206.191.194.42:1172 172.16.1.10:1172  198.133.219.25:80  198.133.219.25:80 tcp 206.191.194.42:1167 172.16.1.10:1167  198.133.219.25:80  198.133.219.25:80 udp 206.191.194.42:1050 172.16.1.11:1050  206.191.193.1:53   206.191.193.1:53 udp 206.191.194.42:1048 172.16.1.11:1048  206.191.193.1:53   206.191.193.1:53 udp 206.191.194.42:1049 172.16.1.11:1049  206.191.193.1:53   206.191.193.1:53 udp 206.191.194.42:1046 172.16.1.11:1046  206.191.193.1:53   206.191.193.1:53 udp 206.191.194.42:1044 172.16.1.11:1044  206.191.193.1:53   206.191.193.1:53 tcp 206.191.194.42:1045 172.16.1.11:1045  63.251.8.23:80     63.251.8.23:80 udp 206.191.194.42:1057 172.16.1.11:1057  206.191.193.1:53   206.191.193.1:53 easyip_router# 

The show ip nat statistics command summarizes NAT's operation on the router. It lists the active translations and tells whether they are static, dynamic, or extended. This command also shows the NAT inside and outside interfaces. Example 15-9 lists the output of this command on the easy_ip router.

Example 15-9 show ip nat statistics Command

 easyip_router#  show ip nat statistics  Total active translations: 12 (0 static, 12 dynamic; 12 extended) Outside interfaces:   BRI0:1, BRI0:2, Dialer10, Virtual-Access1 Inside interfaces:   Ethernet0 Hits: 2304  Misses: 190 Expired translations: 134 Dynamic mappings: -- Inside Source access-list 10 interface Dialer10 refcount 12 

In this example, the translations are all dynamic and extended. In the code, Hits refers to the number of times that Cisco IOS Software does a translation table lookup and finds an entry, whereas Misses refers to the number of times that it fails to find an existing translation and must create a new one. Expired translations lists a cumulative count of translations that have expired since the router was booted .

The show ip nat translations verbose command displays more detailed information about each translation than the show ip nat translations command, including the time it was created, the time it was in use, and expiration time. Any flags, such as extended port translation, are also noted. Example 15-10 lists the output of the command from the previous Easy IP example.

Example 15-10 show ip nat translation verbose Command Output

 easyip_router#  show ip nat translations verbose  Pro Inside global      Inside local       Outside local      Outside global  tcp 206.191.194.42:1066 172.16.1.11:1066  128.11.25.241:80   128.11.25.241:80  create 00:00:23, use 00:00:22, left 23:59:37, flags:extended  tcp 206.191.194.42:1063 172.16.1.11:1063  128.11.25.252:80   128.11.25.252:80  create 00:00:23, use 00:00:23, left 23:59:36, flags:extended tcp 206.191.194.42:1065 172.16.1.11:1065  128.11.25.241:80   128.11.25.241:80     create 00:00:23, use 00:00:23, left 23:59:36, flags:extended easyip_router# 

A limited number of debugs are available for NAT, and they all stem from the debug ip nat command. The syntax is as follows :

  debug ip nat  [  detailed  ] 

The debug ip nat command displays each individual port and address pair association of all active translations. The detailed variation of this command adds additional information with an interface perspective. It also displays port negotiation messages. A heavy warning is warranted to anyone using this command on a production router: The output from a single workstation can be high. Notice in Example 15-11 how many messages are generated per millisecond on a single workstation. Use this command only to track down specific NAT problems.

Example 15-11 debug ip nat detailed Output from the easy_ip Router

 easyip_router#  debug ip nat detailed  IP NAT detailed debugging is on 00:24:07: NAT: i: udp (172.16.1.10, 137) -> (206.191.193.1, 53) [25601] 00:24:07: NAT: ipnat_allocate_port: wanted 137 got 137 00:24:07: NAT: s=172.16.1.10->206.191.194.42, d=206.191.193.1 [25601] 00:24:07: NAT: o: udp (206.191.193.1, 53) -> (206.191.194.42, 137) [44225] 00:24:07: NAT: s=206.191.193.1, d=206.191.194.42->172.16.1.10 [44225] 00:24:51: NAT: i: udp (172.16.1.10, 1046) -> (206.191.193.1, 53) [25857] 00:24:51: NAT: ipnat_allocate_port: wanted 1046 got 1046 00:24:51: NAT: s=172.16.1.10->206.191.194.42, d=206.191.193.1 [25857] 00:24:51: NAT: o: udp (206.191.193.1, 53) -> (206.191.194.42, 1046) [22909] 00:24:51: NAT: s=206.191.193.1, d=206.191.194.42->172.16.1.10 [22909] 00:24:51: NAT: i: udp (172.16.1.10, 1047) -> (206.191.193.1, 53) [26113] 00:24:51: NAT: ipnat_allocate_port: wanted 1047 got 1047