Monitoring and Maintaining NAT

The Monitoring and Maintaining NAT feature enables the monitoring of Network Address Translation (NAT) by using translation information and statistics displays. It enables the logging of NAT translation to log and track system error messages and exceptions. The Monitoring and Maintaining NAT feature helps maintain NAT by clearing NAT translations before the timeout is expired.

This modules the Monitoring and Maintaining NAT feature.

Prerequisites for Monitoring and Maintaining NAT

Before performing the tasks in this module, you must be familiar with the concepts described in the “Configuring NAT for IP Address Conservation” module and have NAT configured in your network.

Restrictions for Monitoring and Maintaining NAT

  • Syslog for Network Address Translation (NAT) is not supported.

  • On the Cisco Catalyst 8300 Series, Bidirectional Forwarding Detection (BFD) flaps occur when the clear IP NAT translation privileged EXEC command is executed, particularly when NAT is set up with a high volume of NAT sessions or translations. Although BFD is set up on a different interface from NAT, BFD sessions tend to immediately flap due to an echo failure. This happens because NAT briefly locks the database for a few seconds to finalize the clear operation, which can cause a momentary disruption. An echo failure is a situation in which a network device does not receive a reply to an echo request within a designated time. This echo request is part of the control messages used in protocols like BFD to check the availability and operational status of other network devices.

Information About Monitoring and Maintaining NAT

NAT Display Contents

There are two basic types of IP Network Address Translation (NAT) translation information:

Translation Entries

Translation entry information includes the following:

  • The protocol of the port identifying the address.

  • The legitimate IP address that represents one or more inside local IP addresses to the outside world.

  • The IP address assigned to a host on the inside network; probably not a legitimate address assigned by the NIC or service provider.

  • The IP address of an outside host as it appears to the inside network; probably not a legitimate address assigned by the NIC or service provider.

  • The IP address assigned to a host on the outside network by its owner.

  • The time since the entry was created (in hours:minutes:seconds).

  • The time since the entry was last used (in hours:minutes:seconds).

  • Flags indicating the type of translation. Possible flags are:
    • extended—Extended translation.
    • static—Static translation.
    • destination—Rotary translation.
    • outside—Outside translation.
    • timing out—Translation will no longer be used, due to a TCP finish (FIN) or reset (RST) flag.

Statistical Information

Statistical information includes the following:

  • The total number of translations active in the system. This number is incremented each time a translation is created and is decremented each time a translation is cleared or times out.

  • A list of interfaces marked as outside with the ip nat outside command.

  • A list of interfaces marked as inside with the ip nat inside command.

  • The number of times the software does a translations table lookup and finds an entry.

  • The number of times the software does a translations table lookup, fails to find an entry, and must try to create one.

  • A cumulative count of translations that have expired since the router was booted.

  • Information about dynamic mappings.

  • Information about an inside source translation.

  • The access list number being used for the translation.

  • The name of the pool.

  • The number of translations using this pool.

  • The IP network mask being used in the pool.

  • The starting IP address in the pool range.

  • The ending IP address in the pool range.

  • The type of pool. Possible types are generic or rotary.

  • The number of addresses in the pool available for translation.

  • The number of addresses being used.

  • The number of failed allocations from the pool.

NAT does not support access control lists (ACLs) with the log option. The same functionality can be achieved by using one of the following options:

  • By having a physical interface or virtual LAN (VLAN) with the logging option

  • By using NetFlow

NAT-Forced Clear of Dynamic NAT Half-Entries

The NAT-Forced Clear of Dynamic NAT Half-Entries feature filters the display of the translation table by specifying an inside or outside address. This feature introduces the clear ip nat translation forced command that forcefully clears active dynamic Network Address Translation (NAT) half-entries that have child translations.

How to Monitor and Maintain NAT

Displaying NAT Translation Information

SUMMARY STEPS

  1. enable
  2. show ip nat translations [verbose ]
  3. show ip nat statistics

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

show ip nat translations [verbose ]

Example:

Device# show ip nat translations

(Optional) Displays active NAT translations.

Step 3

show ip nat statistics

Example:

Device# show ip nat statistics

(Optional) Displays active NAT translation statistics.

Example:

The following is sample output from the show ip nat translations command:

Device# show ip nat translations

Pro Inside global         Inside local       Outside local        Outside global
tcp 192.168.1.1:514      192.168.2.3:53     192.168.2.22:256     192.168.2.22:256
tcp 192.168.1.1:513      192.168.2.2:53     192.168.2.22:256     192.168.2.22:256
tcp 192.168.1.1:512      192.168.2.4:53     192.168.2.22:256     192.168.2.22:256
Total number of translations: 3

The following is sample output from the show ip nat translations verbose command:

Device# show ip nat translations verbose

Pro Inside global        Inside local       Outside local      Outside global
tcp 192.168.1.1:514      192.168.2.3:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef80350, use_count:1
tcp 192.168.1.1:513      192.168.2.2:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef801b0, use_count:1
tcp 192.168.1.1:512      192.168.2.4:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef80280, use_count:1
Total number of translations: 3

The following is sample output from the show ip nat statistics command:

Device# show ip nat statistics

Total active translations: 3 (0 static, 3 dynamic; 3 extended) 
Outside interfaces: 
GigabitEthernet0/3/0 
Inside interfaces: 
GigabitEthernet0/3/1 
Hits: 3228980 Misses: 3 
CEF Translated packets: 0, CEF Punted packets: 0 
Expired translations: 0 
Dynamic mappings: 
-- Inside Source 
[Id: 1] access-list 1 pool pool1 refcount 3 
  pool pool1: netmask 255.255.255.0 
  start 198.168.1.1 end 198.168.254.254 
  type generic, total addresses 254, allocated 0 (0%), misses 0 
  longest chain in pool: pool1's addr-hash: 0, average len 0,chains 0/256 
  Pool stats drop: 0 Mapping stats drop: 0 
  Port block alloc fail: 0 
  IP alias add fail: 0 
  Limit entry add fail: 0 

Clearing NAT Entries Before the Timeout

By default, dynamic address translations will time out from the NAT translation table at some point. Perform this task to clear the entries before the timeout.

SUMMARY STEPS

  1. enable
  2. clear ip nat translation inside global-ip local-ip outside local-ip global-ip
  3. clear ip nat translation outside global-ip local-ip
  4. clear ip nat translation protocol inside global-ip global-port local-ip local-port outside local-ip local-port global-ip global-port
  5. clear ip nat translation {* | [forced ] | [inside global-ip local-ip ] [outside local-ip global-ip ]}
  6. clear ip nat translation inside global-ip local-ip [forced ]
  7. clear ip nat translation outside local-ip global-ip [forced ]

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

clear ip nat translation inside global-ip local-ip outside local-ip global-ip

Example:

Device# clear ip nat translation inside 192.168.2.209 192.168.2.95 outside 192.168.2.100 192.168.2.101

(Optional) Clears a single dynamic half-entry containing an inside translation or both an inside and outside translation created in a dynamic configuration.

  • A dynamic half-entry is cleared only if it does not have any child translations.

Step 3

clear ip nat translation outside global-ip local-ip

Example:

Device# clear ip nat translation outside 192.168.2.100 192.168.2.80

(Optional) Clears a single dynamic half-entry containing an outside translation created in a dynamic configuration.

  • A dynamic half-entry is cleared only if it does not have any child translations.

Step 4

clear ip nat translation protocol inside global-ip global-port local-ip local-port outside local-ip local-port global-ip global-port

Example:

Device # clear ip nat translation udp inside 192.168.2.209 1220 192.168.2.195 1220 outside 192.168.2.13 53 192.168.2.132 53

(Optional) Clears a UDP translation entry.

Step 5

clear ip nat translation {* | [forced ] | [inside global-ip local-ip ] [outside local-ip global-ip ]}

Example:

Device# clear ip nat translation * 

(Optional) Clears either all dynamic translations (with the * or forced keyword), a single dynamic half-entry containing an inside translation, or a single dynamic half-entry containing an outside translation.

  • A single dynamic half-entry is cleared only if it does not have any child translations.

Step 6

clear ip nat translation inside global-ip local-ip [forced ]

Example:

Device# clear ip nat translation inside 192.168.2.209 192.168.2.195 forced

(Optional) Forces the clearing of a single dynamic half-entry and its child translations containing an inside translation created in a dynamic configuration, with or without its corresponding outside translation.

  • A dynamic half-entry is always cleared, regardless of whether it has any child translations.

Step 7

clear ip nat translation outside local-ip global-ip [forced ]

Example:

Device# clear ip nat translation outside 192.168.2.100 192.168.2.80 forced

(Optional) Forces the clearing of a single dynamic half-entry and its child translations containing an outside translation created in a dynamic configuration.

  • A dynamic half-entry is always cleared, regardless of whether it has any child translations.

Examples for Monitoring and Maintaining NAT

Example: Clearing UDP NAT Translations

The following example shows the Network Address Translation (NAT) entries before and after the UDP entry is cleared:

Device# show ip nat translation
Pro Inside global        Inside local         Outside local      Outside global
udp 192.168.2.20:1220  		192.168.2.95:1220    192.168.2.22:53 			192.168.2.20:53
tcp 192.168.2.20:11012   192.168.2.209:11012  171.69.1.220:23    192.168.2.20:23
tcp 192.168.2.20:1067    192.168.2.20:1067    192.168.2.20:23    192.168.2.20:23

Device# clear ip nat translation udp inside 192.168.2.20:1067 192.168.2.20:1067 outside 192.168.2.20:23 192.168.2.20:23
Device# show ip nat translation
 
Pro Inside global      Inside local        Outside local      Outside global
udp 192.168.2.20:1220  192.168.2.95:1220   192.168.2.22:53 			192.168.2.20:53
tcp 192.168.2.20:11012 192.168.2.209:11012 171.69.1.220:23    192.168.2.20:23

Additional References for Monitoring and Maintaining NAT

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Command List, All Releases

NAT commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

Cisco IOS IP Addressing Services Command Reference

NAT for IP address conservation

“Configuring NAT for IP Address Conservation” module

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Monitoring and Maintaining NAT

Table 1. Feature Information for Monitoring and Maintaining NAT

Feature Name

Releases

Feature Information

NAT—Forced Clear of Dynamic NAT Half-Entries

Cisco IOS XE Release 2.4

The NAT-Forced Clear of Dynamic NAT Half-Entries feature filters the display of the translation table by specifying an inside or outside address.

The following commands were introduced or modified: clear ip nat translations forced , show ip nat translations .