Monitoring and Maintaining NAT

Last Updated: November 29, 2012

The Monitoring and Maintaining NAT feature enables the monitoring of Network Address Translation (NAT) by using translation information and statistics displays. It enables the logging of NAT translation to log and track system error messages and exceptions. The Monitoring and Maintaining NAT feature helps maintain NAT by clearing NAT translations before the timeout is expired.

This modules the Monitoring and Maintaining NAT feature.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Monitoring and Maintaining NAT

Before performing the tasks in this module, you must be familiar with the concepts described in the "Configuring NAT for IP Address Conservation" module and have NAT configured in your network.

Restrictions for Maintaining and Monitoring NAT

Syslog for Network Address Translation (NAT) is not supported.

Information About Monitoring and Maintaining NAT

NAT Display Contents

The two basic types of IP NAT translation information are described in the following sections:

Translation Entry Information

Translation entry information includes the following:

  • Protocol of the port identifying the address.
  • Legitimate IP address that represents one or more inside local IP addresses to the outside world.
  • IP address assigned to a host on the inside network; probably not a legitimate address assigned by the Network Information Center (NIC) or the service provider.
  • IP address of an outside host as it appears to the inside network; probably not a legitimate address assigned by the NIC or the service provider.
  • IP address assigned to a host on the outside network by its owner.
  • Time since the entry was created (in hours:minutes:seconds).
  • Time since the entry was last used (in hours:minutes:seconds).
  • Flags indicating the type of translation. Possible flags are as follows:
    • destination--Rotary translation.
    • extended--Extended translation.
    • outside--Outside translation.
    • static--Static translation.
    • timing out--Translation will be aged out or removed soon because of a TCP finish (FIN) or reset (RST) flag.

Statistical Information

Statistical information includes the following:

  • Total number of translations that are active in the system. This number is incremented each time a translation is created and is decremented each time a translation is cleared or times out.
  • List of interfaces that are marked as outside by using the ip nat outside command.
  • List of interfaces that are marked as inside by using the ip nat inside command.
  • Number of times the software does a translation table lookup and finds an entry.
  • Number of times the software does a translation table lookup, fails to find an entry, and must try to create one.
  • Cumulative count of translations that have expired since the device was booted.
  • Information about dynamic mappings.
  • Information about inside source translations.
  • Access list number that is used for translations.
  • Name of the address pool.
  • Number of translations that use this address pool.
  • IP network mask that is used by the address pool.
  • Starting IP address in the address pool range.
  • Ending IP address in the address pool range.
  • Type of address pool. Possible types are generic or rotary.
  • Number of addresses in the address pool that are available for translation.
  • Number of addresses that are used for translation.
  • Number of failed allocations from the pool.

Network Address Translation (NAT) does not support access control lists (ACLs) with the log option. Instead, you can use one of the following options:

  • A physical interface or VLAN with the logging option
  • NetFlow.

NAT-Forced Clear of Dynamic NAT Half-Entries

The NAT-Forced Clear of Dynamic NAT Half-Entries feature filters the display of the translation table by specifying an inside or outside address. This feature introduces the clear ip nat translation forced command that forcefully clears active dynamic Network Address Translation (NAT) half-entries that have child translations.

How to Monitor and Maintain NAT

Displaying NAT Translation Information

SUMMARY STEPS

1.    enable

2.    show ip nat translations [verbose]

3.    show ip nat statistics


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Device> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
show ip nat translations [verbose]


Example:

Device# show ip nat translations

 

(Optional) Displays active NAT translations.

 
Step 3
show ip nat statistics


Example:

Device# show ip nat statistics

 

(Optional) Displays active NAT translation statistics.

 

Example:

The following is sample output from the show ip nat translations command: 

Device# show ip nat translations

Pro Inside global         Inside local       Outside local        Outside global
tcp 192.168.1.1:514      192.168.2.3:53     192.168.2.22:256     192.168.2.22:256
tcp 192.168.1.1:513      192.168.2.2:53     192.168.2.22:256     192.168.2.22:256
tcp 192.168.1.1:512      192.168.2.4:53     192.168.2.22:256     192.168.2.22:256
Total number of translations: 3

The following is sample output from the show ip nat translations verbose command: 

Device# show ip nat translations verbose

Pro Inside global        Inside local       Outside local      Outside global
tcp 192.168.1.1:514      192.168.2.3:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef80350, use_count:1
tcp 192.168.1.1:513      192.168.2.2:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef801b0, use_count:1
tcp 192.168.1.1:512      192.168.2.4:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef80280, use_count:1
Total number of translations: 3

The following is sample output from the show ip nat statistics command: 

Device# show ip nat statistics

Total active translations: 3 (0 static, 3 dynamic; 3 extended) 
Outside interfaces: 
GigabitEthernet0/3/0 
Inside interfaces: 
GigabitEthernet0/3/1 
Hits: 3228980 Misses: 3 
CEF Translated packets: 0, CEF Punted packets: 0 
Expired translations: 0 
Dynamic mappings: 
-- Inside Source 
[Id: 1] access-list 1 pool pool1 refcount 3 
  pool pool1: netmask 255.255.255.0 
  start 198.168.1.1 end 198.168.254.254 
  type generic, total addresses 254, allocated 0 (0%), misses 0 
  longest chain in pool: pool1's addr-hash: 0, average len 0,chains 0/256 
  Pool stats drop: 0 Mapping stats drop: 0 
  Port block alloc fail: 0 
  IP alias add fail: 0 
  Limit entry add fail: 0

Examples

Displaying NAT Translations

The following is sample output from the show ip nat translations command: 

Device# show ip nat translations

Pro Inside global         Inside local       Outside local        Outside global
tcp 192.168.1.1:514      192.168.2.3:53     192.168.2.22:256     192.168.2.22:256
tcp 192.168.1.1:513      192.168.2.2:53     192.168.2.22:256     192.168.2.22:256
tcp 192.168.1.1:512      192.168.2.4:53     192.168.2.22:256     192.168.2.22:256
Total number of translations: 3

The following is sample output from the show ip nat translations verbose command: 

Device# show ip nat translations verbose

Pro Inside global        Inside local       Outside local      Outside global
tcp 192.168.1.1:514      192.168.2.3:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef80350, use_count:1
tcp 192.168.1.1:513      192.168.2.2:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef801b0, use_count:1
tcp 192.168.1.1:512      192.168.2.4:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef80280, use_count:1
Total number of translations: 3
Displaying NAT Statistics

The following is sample output from the show ip nat statistics command: 

Device# show ip nat statistics

Total active translations: 3 (0 static, 3 dynamic; 3 extended) 
Outside interfaces: 
GigabitEthernet0/3/0 
Inside interfaces: 
GigabitEthernet0/3/1 
Hits: 3228980 Misses: 3 
CEF Translated packets: 0, CEF Punted packets: 0 
Expired translations: 0 
Dynamic mappings: 
-- Inside Source 
[Id: 1] access-list 1 pool pool1 refcount 3 
  pool pool1: netmask 255.255.255.0 
  start 198.168.1.1 end 198.168.254.254 
  type generic, total addresses 254, allocated 0 (0%), misses 0 
  longest chain in pool: pool1's addr-hash: 0, average len 0,chains 0/256 
  Pool stats drop: 0 Mapping stats drop: 0 
  Port block alloc fail: 0 
  IP alias add fail: 0 
  Limit entry add fail: 0

Clearing NAT Entries Before the Timeout

By default, dynamic address translations time out from the NAT translation table. However, you can clear the translation entries before the default timeout. Perform this task to clear the translation entries before the timeout.

SUMMARY STEPS

1.    enable

2.    clear ip nat translation inside global-ip local-ip

3.    clear ip nat translation outside global-ip local-ip

4.    clear ip nat translation udp inside global-ip global-port local-ip local-port outside local-ip local-port global-ip global-port

5.    clear ip nat translation {* | forced | [inside global-ip local-ip] [outside local-ip global-ip]}

6.    clear ip nat translation inside global-ip local-ip [forced]

7.    clear ip nat translation outside local-ip global-ip [forced]


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Device> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
clear ip nat translation inside global-ip local-ip


Example:

Device# clear ip nat translation inside 192.168.2.209 192.168.2.95

 

(Optional) Clears a single dynamic half-entry that contains an inside translation, or both inside and outside translation that is created in a dynamic configuration.

  • A dynamic half-entry is cleared only if the entry does not have any child translations.
 
Step 3
clear ip nat translation outside global-ip local-ip


Example:

Device# clear ip nat translation outside 192.168.2.100 192.168.2.80

 

(Optional) Clears a single dynamic half-entry that contains an outside translation that is created in a dynamic configuration.

  • A dynamic half-entry is cleared only if the entry does not have any child translations.
 
Step 4
clear ip nat translation udp inside global-ip global-port local-ip local-port outside local-ip local-port global-ip global-port


Example:

Device# clear ip nat translation udp inside 192.168.2.209 1220 192.168.2.195 1220 outside 192.168.2.13 53 192.168.2.132 53

 

(Optional) Clears a UDP translation entry.

 
Step 5
clear ip nat translation {* | forced | [inside global-ip local-ip] [outside local-ip global-ip]}


Example:

Device# clear ip nat translation *

 

(Optional) Clears all dynamic translations (by using the * or the forced keyword), a single dynamic half-entry that contains an inside translation, or a single dynamic half-entry that contains an outside translation.

  • A single dynamic half-entry is cleared only if the entry does not have any child translations.
 
Step 6
clear ip nat translation inside global-ip local-ip [forced]


Example:

Device# clear ip nat translation inside 192.168.2.209 192.168.2.95 forced

 

(Optional) Forcefully clears a single dynamic half-entry along with its child translations that contains an inside translation that is created in a dynamic configuration, with or without its corresponding outside translation.

 
Step 7
clear ip nat translation outside local-ip global-ip [forced]


Example:

Device# clear ip nat translation outside 192.168.2.100 192.168.2.101 forced

 

(Optional) Forcefully clears a single dynamic half-entry along with its child translations that contains an outside translation that is created in a dynamic configuration.

 

Configuration Examples for Monitoring and Maintaining NAT

Example: Clearing NAT Entries Before the Timeout

The following sample output from the show ip nat translations command displays the NAT entries before and after the UDP entry is cleared: 

Device# show ip nat translations

Pro Inside global          Inside local       Outside local      Outside global
tcp 192.168.2.20:1220     192.168.2.95:1220   192.168.2.22:53    192.168.2.20:53
tcp 192.168.2.20:11012    192.168.2.209:11012 171.69.1.220:23    192.168.2.20:23
udp 192.168.2.20:1067     192.168.2.20:1067   192.168.2.20:23    192.168.2.20:23

Device# clear ip nat translation udp inside

192.168.2.20:1067 192.168.2.20:1067 192.168.2.20:23 192.168.2.20:23

Device#show ip nat translations

Pro  Inside global      Inside local       Outside local      Outside global
tcp  192.168.2.20:1220  192.168.2.95:1220  192.168.2.22:53    192.168.2.20:53
tcp  192.168.2.20:11012 192.168.2.209:11012 171.69.1.220:23   192.168.2.20:23

Additional References for Maintaining and Monitoring NAT

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

NAT commands

Cisco IOS IP Addressing Command Reference

NAT concepts, configuration tasks, and examples configurations

IP Addressing: NAT Configuration Guide

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Monitoring and Maintaining NAT

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for Monitoring and Maintaining NAT

Feature Name

Releases

Feature Information

NAT-Forced Clear of Dynamic NAT Half-Entries

Cisco IOS XE Release 2.4

The NAT-Forced Clear of Dynamic NAT Half-Entries feature filters the display of the translation table by specifying an inside or outside address.

The following commands were introduced or modified: clear ip nat translations forced,show ip nat translations.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.