Verifying and Troubleshooting the NAT Configuration

Verifying and Troubleshooting the NAT Configuration
There are two commands used to verify the NAT configuration on a router. The show ip nat
translations command shows the translations in the NAT table: The following is an example
of its output:
Border#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 200.1.1.25 10.1.1.25 --- ---
--- 200.1.1.26 10.1.1.25 --- ---
tcp 200.1.1.50:25 10.1.1.50:25 206.1.1.25:25 206.1.1.25:25
tcp 200.1.1.51:514 10.1.1.51:514 155.1.9.6:1021 155.1.9.6:1021
Border#
Adding the verbose keyword at the end of the command will display more information
about each NAT table entry. These items include how long ago the entry was created, when it
was last used, and how long before the entry will expire. The following is the output from adding
the verbose keyword:
Border#show ip nat translations verbose
Pro Inside global Inside local Outside local Outside global
--- 200.1.1.25 10.1.1.25 --- ---
create 2d18h, use 2d18h, flags: static, use_count: 0
--- 200.1.1.26 10.1.1.26 --- ---
create 2d18h, use 2d18h, flags: static, use_count: 0
tcp 200.1.1.50:25 10.1.1.50:25 206.1.1.25:25 206.1.1.25:25
create 05:53:05, use 05:53:05, left 18:06:54, flags: extended,
➥use_count: 0
tcp 200.1.1.51:514 10.1.1.51:514 155.1.9.6:1021 155.1.9.6:1021
create 02:22:51, use 00:22:28, left 23:37:31, flags: extended,
➥use_count: 0
Border#
96 Chapter 3  Network Address Translation
The second command is used to display the statistics and configuration information for
NAT. The show ip nat statistics command displays the following information about
the NAT table and statistics:
Border#show ip nat statistics
Total active translations: 4 (2 static, 2 dynamic; 2 extended)
Outside interfaces:
Serial0
Inside interfaces:
Ethernet0
Hits: 13654693 Misses: 42
Expired translations: 1202
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 12 pool outbound refcount 5
pool outbound: netmask 255.255.255.0
start 200.1.1.2 end 200.1.1.254
type generic, total addresses 252, allocated 4 (2%), misses 0
Border#
The debug ip nat command is used to troubleshoot NAT problems on the router. In the
following output you will notice that the inside local source address of 10.1.1.25, which gets
translated to an inside global source address of 200.1.1.25, is sending a packet to the destination
address 206.1.1.25. An arrow (—>) symbol indicates that the packet was translated, and an
asterisk (*) symbol indicates that the packet is traveling through the fast path. The first packet
in a conversation will be processed through a process-switched or slow path, and additional
packets will be able to be switched faster through the fast path. The following example shows
the output from the debug ip nat command:
Border#debug ip nat
IP NAT debugging is on
Border#
NAT: s=10.1.1.25->200.1.1.25, d=206.1.1.25 [0]
NAT: s=206.1.1.25, d=200.1.1.25->10.1.1.25 [0]
NAT: s=10.1.1.25->200.1.1.25, d=206.1.1.25 [1]
NAT: s=10.1.1.25->200.1.1.25, d=206.1.1.25 [2]
NAT: s=10.1.1.25->200.1.1.25, d=206.1.1.25 [3]
NAT*: s=206.1.1.25, d=200.1.1.25->10.1.1.25 [1]
NAT: s=10.1.1.25->200.1.1.25, d=206.1.1.25 [4]
NAT: s=10.1.1.25->200.1.1.25, d=206.1.1.25 [5]
NAT: s=10.1.1.25->200.1.1.25, d=206.1.1.25 [6]
NAT*: s=206.1.1.25, d=200.1.1.25->10.1.1.25 [2]
Border#
Summary 97
Once debugging is enabled, it remains in effect until you turn it off with the no debug ip
nat command; to turn off all debugging, use the undebug all command.
Turning on debugging information in a production router can have a significant
impact on performance.
Occasionally, you will need to delete a NAT translation from the NAT table. Sometimes
NAT is configured properly, but translations need to be cleared and reset to resolve a problem.
Table 3.1 shows the commands used to clear the NAT table.