Prerequisites for Monitoring and Maintaining NAT
Before performing the tasks in this module, you must be familiar with the concepts described in the “Configuring NAT for IP Address Conservation” module and have NAT configured in your network.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Monitoring and Maintaining NAT feature enables the monitoring of Network Address Translation (NAT) by using translation information and statistics displays. It enables the logging of NAT translation to log and track system error messages and exceptions. The Monitoring and Maintaining NAT feature helps maintain NAT by clearing NAT translations before the timeout is expired.
This modules the Monitoring and Maintaining NAT feature.
Before performing the tasks in this module, you must be familiar with the concepts described in the “Configuring NAT for IP Address Conservation” module and have NAT configured in your network.
Syslog for Network Address Translation (NAT) is not supported.
On the Cisco Catalyst 8300 Series, Bidirectional Forwarding Detection (BFD) flaps occur when the clear IP NAT translation privileged EXEC command is executed, particularly when NAT is set up with a high volume of NAT sessions or translations. Although BFD is set up on a different interface from NAT, BFD sessions tend to immediately flap due to an echo failure. This happens because NAT briefly locks the database for a few seconds to finalize the clear operation, which can cause a momentary disruption. An echo failure is a situation in which a network device does not receive a reply to an echo request within a designated time. This echo request is part of the control messages used in protocols like BFD to check the availability and operational status of other network devices.
There are two basic types of IP Network Address Translation (NAT) translation information:
Translation entry information includes the following:
The protocol of the port identifying the address.
The legitimate IP address that represents one or more inside local IP addresses to the outside world.
The IP address assigned to a host on the inside network; probably not a legitimate address assigned by the NIC or service provider.
The IP address of an outside host as it appears to the inside network; probably not a legitimate address assigned by the NIC or service provider.
The IP address assigned to a host on the outside network by its owner.
The time since the entry was created (in hours:minutes:seconds).
The time since the entry was last used (in hours:minutes:seconds).
Statistical information includes the following:
The total number of translations active in the system. This number is incremented each time a translation is created and is decremented each time a translation is cleared or times out.
A list of interfaces marked as outside with the ip nat outside command.
A list of interfaces marked as inside with the ip nat inside command.
The number of times the software does a translations table lookup and finds an entry.
The number of times the software does a translations table lookup, fails to find an entry, and must try to create one.
A cumulative count of translations that have expired since the router was booted.
Information about dynamic mappings.
Information about an inside source translation.
The access list number being used for the translation.
The name of the pool.
The number of translations using this pool.
The IP network mask being used in the pool.
The starting IP address in the pool range.
The ending IP address in the pool range.
The type of pool. Possible types are generic or rotary.
The number of addresses in the pool available for translation.
The number of addresses being used.
The number of failed allocations from the pool.
NAT does not support access control lists (ACLs) with the log option. The same functionality can be achieved by using one of the following options:
By having a physical interface or virtual LAN (VLAN) with the logging option
By using NetFlow
The NAT-Forced Clear of Dynamic NAT Half-Entries feature filters the display of the translation table by specifying an inside or outside address. This feature introduces the clear ip nat translation forced command that forcefully clears active dynamic Network Address Translation (NAT) half-entries that have child translations.
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode.
|
Step 2 |
show ip nat translations [verbose ] Example:
|
(Optional) Displays active NAT translations. |
Step 3 |
show ip nat statistics Example:
|
(Optional) Displays active NAT translation statistics. |
The following is sample output from the show ip nat translations command:
Device# show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 192.168.1.1:514 192.168.2.3:53 192.168.2.22:256 192.168.2.22:256
tcp 192.168.1.1:513 192.168.2.2:53 192.168.2.22:256 192.168.2.22:256
tcp 192.168.1.1:512 192.168.2.4:53 192.168.2.22:256 192.168.2.22:256
Total number of translations: 3
The following is sample output from the show ip nat translations verbose command:
Device# show ip nat translations verbose
Pro Inside global Inside local Outside local Outside global
tcp 192.168.1.1:514 192.168.2.3:53 192.168.2.22:256 192.168.2.22:256
create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
entry-id: 0x8ef80350, use_count:1
tcp 192.168.1.1:513 192.168.2.2:53 192.168.2.22:256 192.168.2.22:256
create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
entry-id: 0x8ef801b0, use_count:1
tcp 192.168.1.1:512 192.168.2.4:53 192.168.2.22:256 192.168.2.22:256
create 04/09/11 10:51:48, use 04/09/11 10:52:31, timeout: 00:01:00
Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
entry-id: 0x8ef80280, use_count:1
Total number of translations: 3
The following is sample output from the show ip nat statistics command:
Device# show ip nat statistics
Total active translations: 3 (0 static, 3 dynamic; 3 extended)
Outside interfaces:
GigabitEthernet0/3/0
Inside interfaces:
GigabitEthernet0/3/1
Hits: 3228980 Misses: 3
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 pool pool1 refcount 3
pool pool1: netmask 255.255.255.0
start 198.168.1.1 end 198.168.254.254
type generic, total addresses 254, allocated 0 (0%), misses 0
longest chain in pool: pool1's addr-hash: 0, average len 0,chains 0/256
Pool stats drop: 0 Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0
By default, dynamic address translations will time out from the NAT translation table at some point. Perform this task to clear the entries before the timeout.
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode.
|
Step 2 |
clear ip nat translation inside global-ip local-ip outside local-ip global-ip Example:
|
(Optional) Clears a single dynamic half-entry containing an inside translation or both an inside and outside translation created in a dynamic configuration.
|
Step 3 |
clear ip nat translation outside global-ip local-ip Example:
|
(Optional) Clears a single dynamic half-entry containing an outside translation created in a dynamic configuration.
|
Step 4 |
clear ip nat translation protocol inside global-ip global-port local-ip local-port outside local-ip local-port global-ip global-port Example:
|
(Optional) Clears a UDP translation entry. |
Step 5 |
clear ip nat translation {* | [forced ] | [inside global-ip local-ip ] [outside local-ip global-ip ]} Example:
|
(Optional) Clears either all dynamic translations (with the * or forced keyword), a single dynamic half-entry containing an inside translation, or a single dynamic half-entry containing an outside translation.
|
Step 6 |
clear ip nat translation inside global-ip local-ip [forced ] Example:
|
(Optional) Forces the clearing of a single dynamic half-entry and its child translations containing an inside translation created in a dynamic configuration, with or without its corresponding outside translation.
|
Step 7 |
clear ip nat translation outside local-ip global-ip [forced ] Example:
|
(Optional) Forces the clearing of a single dynamic half-entry and its child translations containing an outside translation created in a dynamic configuration.
|
The following example shows the Network Address Translation (NAT) entries before and after the UDP entry is cleared:
Device# show ip nat translation
Pro Inside global Inside local Outside local Outside global
udp 192.168.2.20:1220 192.168.2.95:1220 192.168.2.22:53 192.168.2.20:53
tcp 192.168.2.20:11012 192.168.2.209:11012 171.69.1.220:23 192.168.2.20:23
tcp 192.168.2.20:1067 192.168.2.20:1067 192.168.2.20:23 192.168.2.20:23
Device# clear ip nat translation udp inside 192.168.2.20:1067 192.168.2.20:1067 outside 192.168.2.20:23 192.168.2.20:23
Device# show ip nat translation
Pro Inside global Inside local Outside local Outside global
udp 192.168.2.20:1220 192.168.2.95:1220 192.168.2.22:53 192.168.2.20:53
tcp 192.168.2.20:11012 192.168.2.209:11012 171.69.1.220:23 192.168.2.20:23
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
NAT commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples |
|
NAT for IP address conservation |
“Configuring NAT for IP Address Conservation” module |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Name |
Releases |
Feature Information |
---|---|---|
NAT—Forced Clear of Dynamic NAT Half-Entries |
Cisco IOS XE Release 2.4 |
The NAT-Forced Clear of Dynamic NAT Half-Entries feature filters the display of the translation table by specifying an inside or outside address. The following commands were introduced or modified: clear ip nat translations forced , show ip nat translations . |