Finding Feature Information

Prerequisites for Monitoring and Maintaining NAT

Restrictions for Monitoring and Maintaining NAT

Information About Monitoring and Maintaining NAT

Device> enable

Device# show ip nat translations

Device# show ip nat statistics

Device# show ip nat translations

Pro Inside global         Inside local       Outside local        Outside global
tcp 192.168.1.1:514      192.168.2.3:53     192.168.2.22:256     192.168.2.22:256
tcp 192.168.1.1:513      192.168.2.2:53     192.168.2.22:256     192.168.2.22:256
tcp 192.168.1.1:512      192.168.2.4:53     192.168.2.22:256     192.168.2.22:256
Total number of translations: 3

Device# show ip nat translations verbose

Pro Inside global        Inside local       Outside local      Outside global
tcp 192.168.1.1:514      192.168.2.3:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef80350, use_count:1
tcp 192.168.1.1:513      192.168.2.2:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef801b0, use_count:1
tcp 192.168.1.1:512      192.168.2.4:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef80280, use_count:1
Total number of translations: 3

Device# show ip nat statistics

Total active translations: 3 (0 static, 3 dynamic; 3 extended) 
Outside interfaces: 
GigabitEthernet0/3/0 
Inside interfaces: 
GigabitEthernet0/3/1 
Hits: 3228980 Misses: 3 
CEF Translated packets: 0, CEF Punted packets: 0 
Expired translations: 0 
Dynamic mappings: 
-- Inside Source 
[Id: 1] access-list 1 pool pool1 refcount 3 
  pool pool1: netmask 255.255.255.0 
  start 198.168.1.1 end 198.168.254.254 
  type generic, total addresses 254, allocated 0 (0%), misses 0 
  longest chain in pool: pool1's addr-hash: 0, average len 0,chains 0/256 
  Pool stats drop: 0 Mapping stats drop: 0 
  Port block alloc fail: 0 
  IP alias add fail: 0 
  Limit entry add fail: 0 

Device> enable

Device# clear ip nat translation inside 192.168.2.209 192.168.2.95 outside 192.168.2.100 192.168.2.101

Device# clear ip nat translation outside 192.168.2.100 192.168.2.80

Device # clear ip nat translation udp inside 192.168.2.209 1220 192.168.2.195 1220 outside 192.168.2.13 53 192.168.2.132 53

Device# clear ip nat translation * 

Device# clear ip nat translation inside 192.168.2.209 192.168.2.195 forced

Device# clear ip nat translation outside 192.168.2.100 192.168.2.80 forced

Device# show ip nat translation
Pro Inside global        Inside local         Outside local      Outside global
udp 192.168.2.20:1220  		192.168.2.95:1220    192.168.2.22:53 			192.168.2.20:53
tcp 192.168.2.20:11012   192.168.2.209:11012  171.69.1.220:23    192.168.2.20:23
tcp 192.168.2.20:1067    192.168.2.20:1067    192.168.2.20:23    192.168.2.20:23

Device# clear ip nat translation udp inside 192.168.2.20:1067 192.168.2.20:1067 outside 192.168.2.20:23 192.168.2.20:23
Device# show ip nat translation
 
Pro Inside global      Inside local        Outside local      Outside global
udp 192.168.2.20:1220  192.168.2.95:1220   192.168.2.22:53 			192.168.2.20:53
tcp 192.168.2.20:11012 192.168.2.209:11012 171.69.1.220:23    192.168.2.20:23

Contents

• Monitoring and Maintaining NAT
• Finding Feature Information
• Prerequisites for Monitoring and Maintaining NAT
• Restrictions for Monitoring and Maintaining NAT
• Information About Monitoring and Maintaining NAT
• NAT Display Contents
• Translation Entries
• Statistical Information
• How to Monitor and Maintain NAT
• Displaying NAT Translation Information
• Clearing NAT Entries Before the Timeout
• Examples for Monitoring and Maintaining NAT
• Example: Clearing UDP NAT Translations
• Where to Go Next
• Additional References for Monitoring and Maintaining NAT
• Feature Information for Monitoring and Maintaining NAT

Monitoring and Maintaining NAT

---

This module describes how to:

• Monitor Network Address Translation (NAT) using translation information and statistical displays.
• Maintain NAT by clearing NAT translations before the timeout has expired.
• Enable the logging of NAT translation by way of syslog to log and track system error messages, exceptions, and other information.

• Finding Feature Information
• Prerequisites for Monitoring and Maintaining NAT
• Restrictions for Monitoring and Maintaining NAT
• Information About Monitoring and Maintaining NAT
• How to Monitor and Maintain NAT
• Examples for Monitoring and Maintaining NAT
• Where to Go Next
• Additional References for Monitoring and Maintaining NAT
• Feature Information for Monitoring and Maintaining NAT

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Monitoring and Maintaining NAT

Before performing the tasks in this module, you must be familiar with the concepts described in the “Configuring NAT for IP Address Conservation” module and have NAT configured in your network.

Restrictions for Monitoring and Maintaining NAT

Syslog for Network Address Translation (NAT) is not supported.

Information About Monitoring and Maintaining NAT

• NAT Display Contents

NAT Display Contents

There are two basic types of IP Network Address Translation (NAT) translation information:

• Translation Entries
• Statistical Information

Translation Entries

Translation entry information includes the following:

• The protocol of the port identifying the address.
• The legitimate IP address that represents one or more inside local IP addresses to the outside world.
• The IP address assigned to a host on the inside network; probably not a legitimate address assigned by the NIC or service provider.
• The IP address of an outside host as it appears to the inside network; probably not a legitimate address assigned by the NIC or service provider.
• The IP address assigned to a host on the outside network by its owner.
• The time since the entry was created (in hours:minutes:seconds).
• The time since the entry was last used (in hours:minutes:seconds).
• Flags indicating the type of translation. Possible flags are:

  • extended—Extended translation.
  • static—Static translation.
  • destination—Rotary translation.
  • outside—Outside translation.
  • timing out—Translation will no longer be used, due to a TCP finish (FIN) or reset (RST) flag.

Statistical Information

Statistical information includes the following:

• The total number of translations active in the system. This number is incremented each time a translation is created and is decremented each time a translation is cleared or times out.
• A list of interfaces marked as outside with the ip nat outside command.
• A list of interfaces marked as inside with the ip nat inside command.
• The number of times the software does a translations table lookup and finds an entry.
• The number of times the software does a translations table lookup, fails to find an entry, and must try to create one.
• A cumulative count of translations that have expired since the router was booted.
• Information about dynamic mappings.
• Information about an inside source translation.
• The access list number being used for the translation.
• The name of the pool.
• The number of translations using this pool.
• The IP network mask being used in the pool.
• The starting IP address in the pool range.
• The ending IP address in the pool range.
• The type of pool. Possible types are generic or rotary.
• The number of addresses in the pool available for translation.
• The number of addresses being used.
• The number of failed allocations from the pool.

NAT does not support access control lists (ACLs) with the log option. The same functionality can be achieved by using one of the following options:

• By having a physical interface or virtual LAN (VLAN) with the logging option
• By using NetFlow

How to Monitor and Maintain NAT

• Displaying NAT Translation Information
• Clearing NAT Entries Before the Timeout

Displaying NAT Translation Information

SUMMARY STEPS

1.    enable


2.    show ip nat translations [verbose]


3.    show ip nat statistics

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	show ip nat translations [verbose] Example: Device# show ip nat translations	(Optional) Displays active NAT translations.
Step 3	show ip nat statistics Example: Device# show ip nat statistics	(Optional) Displays active NAT translation statistics.

Example:

The following is sample output from the show ip nat translations command:

Device# show ip nat translations

Pro Inside global         Inside local       Outside local        Outside global
tcp 192.168.1.1:514      192.168.2.3:53     192.168.2.22:256     192.168.2.22:256
tcp 192.168.1.1:513      192.168.2.2:53     192.168.2.22:256     192.168.2.22:256
tcp 192.168.1.1:512      192.168.2.4:53     192.168.2.22:256     192.168.2.22:256
Total number of translations: 3

The following is sample output from the show ip nat translations verbose command:

Device# show ip nat translations verbose

Pro Inside global        Inside local       Outside local      Outside global
tcp 192.168.1.1:514      192.168.2.3:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef80350, use_count:1
tcp 192.168.1.1:513      192.168.2.2:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef801b0, use_count:1
tcp 192.168.1.1:512      192.168.2.4:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef80280, use_count:1
Total number of translations: 3

The following is sample output from the show ip nat statistics command:

Device# show ip nat statistics

Total active translations: 3 (0 static, 3 dynamic; 3 extended) 
Outside interfaces: 
GigabitEthernet0/3/0 
Inside interfaces: 
GigabitEthernet0/3/1 
Hits: 3228980 Misses: 3 
CEF Translated packets: 0, CEF Punted packets: 0 
Expired translations: 0 
Dynamic mappings: 
-- Inside Source 
[Id: 1] access-list 1 pool pool1 refcount 3 
  pool pool1: netmask 255.255.255.0 
  start 198.168.1.1 end 198.168.254.254 
  type generic, total addresses 254, allocated 0 (0%), misses 0 
  longest chain in pool: pool1's addr-hash: 0, average len 0,chains 0/256 
  Pool stats drop: 0 Mapping stats drop: 0 
  Port block alloc fail: 0 
  IP alias add fail: 0 
  Limit entry add fail: 0 

Clearing NAT Entries Before the Timeout

By default, dynamic address translations will time out from the NAT translation table at some point. Perform this task to clear the entries before the timeout.

SUMMARY STEPS

1.    enable


2.    clear ip nat translation inside global-ip local-ip outside local-ip global-ip


3.    clear ip nat translation outside global-ip local-ip


4.    clear ip nat translation protocol inside global-ip global-port local-ip local-port outside local-ip local-port global-ip global-port


5.    clear ip nat translation {* | [forced] | [inside global-ip local-ip] [outside local-ip global-ip]}


6.    clear ip nat translation inside global-ip local-ip [forced]


7.    clear ip nat translation outside local-ip global-ip [forced]

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	clear ip nat translation inside global-ip local-ip outside local-ip global-ip Example: Device# clear ip nat translation inside 192.168.2.209 192.168.2.95 outside 192.168.2.100 192.168.2.101	(Optional) Clears a single dynamic half-entry containing an inside translation or both an inside and outside translation created in a dynamic configuration. A dynamic half-entry is cleared only if it does not have any child translations.
Step 3	clear ip nat translation outside global-ip local-ip Example: Device# clear ip nat translation outside 192.168.2.100 192.168.2.80	(Optional) Clears a single dynamic half-entry containing an outside translation created in a dynamic configuration. A dynamic half-entry is cleared only if it does not have any child translations.
Step 4	clear ip nat translation protocol inside global-ip global-port local-ip local-port outside local-ip local-port global-ip global-port Example: Device # clear ip nat translation udp inside 192.168.2.209 1220 192.168.2.195 1220 outside 192.168.2.13 53 192.168.2.132 53	(Optional) Clears a UDP translation entry.
Step 5	clear ip nat translation {* | [forced] | [inside global-ip local-ip] [outside local-ip global-ip]} Example: Device# clear ip nat translation *	(Optional) Clears either all dynamic translations (with the * or forced keyword), a single dynamic half-entry containing an inside translation, or a single dynamic half-entry containing an outside translation. A single dynamic half-entry is cleared only if it does not have any child translations.
Step 6	clear ip nat translation inside global-ip local-ip [forced] Example: Device# clear ip nat translation inside 192.168.2.209 192.168.2.195 forced	(Optional) Forces the clearing of a single dynamic half-entry and its child translations containing an inside translation created in a dynamic configuration, with or without its corresponding outside translation. A dynamic half-entry is always cleared, regardless of whether it has any child translations.
Step 7	clear ip nat translation outside local-ip global-ip [forced] Example: Device# clear ip nat translation outside 192.168.2.100 192.168.2.80 forced	(Optional) Forces the clearing of a single dynamic half-entry and its child translations containing an outside translation created in a dynamic configuration. A dynamic half-entry is always cleared, regardless of whether it has any child translations.

Examples for Monitoring and Maintaining NAT

• Example: Clearing UDP NAT Translations

Example: Clearing UDP NAT Translations

The following example shows the Network Address Translation (NAT) entries before and after the UDP entry is cleared:

Device# show ip nat translation
Pro Inside global        Inside local         Outside local      Outside global
udp 192.168.2.20:1220  		192.168.2.95:1220    192.168.2.22:53 			192.168.2.20:53
tcp 192.168.2.20:11012   192.168.2.209:11012  171.69.1.220:23    192.168.2.20:23
tcp 192.168.2.20:1067    192.168.2.20:1067    192.168.2.20:23    192.168.2.20:23

Device# clear ip nat translation udp inside 192.168.2.20:1067 192.168.2.20:1067 outside 192.168.2.20:23 192.168.2.20:23
Device# show ip nat translation
 
Pro Inside global      Inside local        Outside local      Outside global
udp 192.168.2.20:1220  192.168.2.95:1220   192.168.2.22:53 			192.168.2.20:53
tcp 192.168.2.20:11012 192.168.2.209:11012 171.69.1.220:23    192.168.2.20:23

Where to Go Next

• To configure NAT for use with application level gateways, see the “Using Application Level Gateways with NAT” module.
• To integrate NAT with MPLS VPNs, see the “Integrating NAT with MPLS VPNs” module.
• To configure NAT for high availability, see the “Configuring NAT for High Availability” module.

Additional References for Monitoring and Maintaining NAT

Related Documents

Related Topic	Document Title
Cisco IOS commands	Cisco IOS Master Command List, All Releases
NAT commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples	Cisco IOS IP Addressing Services Command Reference
NAT for IP address conservation	“Configuring NAT for IP Address Conservation” module

Technical Assistance

Description	Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.	http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

Feature Information for Monitoring and Maintaining NAT

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Table 1 Feature Information for Monitoring and Maintaining NAT

Feature Name	Releases	Feature Information
NAT—Forced Clear of Dynamic NAT Half-Entries	12.2(15)T	A second forced keyword was added to the clear ip nat translation command to enable the removal of half-entries regardless of whether they have any child translations.