Checking NAT Status
Problem
You want to see the current NAT information.
Solution
There are several useful EXEC commands for checking the status of NAT on a router. You can view the NAT translation table by using the following command:
Router#show ip nat translation
You can clear all or part of the NAT translation table by specifying either a * or a particular address. To clear a specific entry, you must specify either the global address for a device that is inside, or a local address for a device that is outside:
Router#clear ip nat translation * Router#clear ip nat translation inside 172.18.3.2 Router#clear ip nat translation outside 192.168.1.10
You will often want to look at NAT statistics, including information on which interfaces use NAT, how many entries are in the NAT table, how often they have been used, and, most importantly, how often packets have bypassed NAT. The command to see this is show ip nat statistics:
Router#show ip nat statistics
And you can clear these statistics as follows:
Router#clear ip nat statistics
Discussion
The NAT translation table contains information about every translation that the router is currently tracking. In this example, you can see that there have been two connections between the interior device 192.168.1.10 and the exterior device 172.18.3.2. The first of these connections is shown as ICMP:
Router#show ip nat translation Pro Inside global Inside local Outside local Outside global icmp 172.16.1.100:21776 192.168.1.10:21776 172.18.3.2:21776 172.18.3.2:21776 tcp 172.16.1.100:1029 192.168.1.10:1029 172.18.3.2:23 172.18.3.2:23 --- 172.16.1.10 192.168.1.15 --- --- --- 172.16.1.11 192.168.1.16 --- --- Router#
This command shows only the currently active NAT table entries. You can see, for example, that it translates the inside local address 192.168.1.10 to the inside global address 172.16.1.100. But this router isn't configured to translate outside addresses, so the outside local address is the same as the outside global addresses. As we discussed in Recipe 21.10, the router removes dynamic NAT entries after a defined period of time. For example, by default the router will delete NAT entries for TCP connections after 24 hours.
The output has five columns. The first is the protocol. This column is blank unless you use the overload option in your NAT configuration. The "Inside global" address column is the translated address of an internal device. The "Inside local" column, on the other hand, shows the real internal address for the same device. The "Outside local" column shows the translated addresses of external devices, while "Outside global" shows their real addresses.
This can be a little bit confusing at first sight. The real address on the inside is "local," and the translated address is "global," while the real address on the outside is "global," and it is translated to a "local" address. You can resolve this confusion by remembering that global addresses are always on the outside, and local addresses are on the inside.
The last two rows represent simple static NAT entries. It shows, for example, that the internal device whose real address is 192.168.1.15 is translated to 172.16.1.10 when its packets pass through this router. There are no external addresses listed for this entry. Because it is a static entry, this translation is the same for any external device. However, the row immediately above this one shows all four entries:
tcp 172.16.1.100:1029 192.168.1.10:1029 172.18.3.2:23 172.18.3.2:23
This line includes a lot of useful information. The first column indicates that this row represents a TCP connection, and that the translation is a dynamic entry. On the inside, the source address is 192.168.1.10, and the source TCP port it 1029, while the destination is 172.18.3.2, and the destination port is 23. On the outside, the destination address and port are the same, but the source address is rewritten as 172.16.1.100, and the source port is 1029.
The verbose keyword makes this command show age information about each table entry:
Router#show ip nat translation verbose Pro Inside global Inside local Outside local Outside global icmp 172.16.1.100:21776 192.168.1.10:21776 172.18.3.2:21776 172.18.3.2:21776 192.168.3.2:4235 create 00:00:36, use 00:00:36, left 00:00:23, flags: extended tcp 172.16.1.100:1029 192.168.1.10:1029 172.18.3.2:23 172.18.3.2:23 create 00:00:15, use 00:00:13, left 00:00:46, flags: extended, timing-out --- 172.16.1.10 192.168.1.15 --- --- create 1d00h, use 00:23:08, flags: static --- 172.16.1.11 192.168.1.16 --- --- create 1d00h, use 00:15:28, flags: static Router#
This level of detail is most useful when you are trying to diagnose NAT table timeout issues.
The show ip nat statistics command includes useful information about the translation configuration. The following example shows one external and two internal interfaces, with a dynamic NAT pool that runs from 172.16.1.100 to 172.16.1.150:
Router#show ip nat statistics Total active translations: 3 (2 static, 1 dynamic; 1 extended) Outside interfaces: Ethernet0/0 Inside interfaces: FastEthernet0/0, FastEthernet0/1 Hits: 2628 Misses: 44 Expired translations: 37 Dynamic mappings: -- Inside Source access-list 15 pool NATPOOL refcount 1 pool NATPOOL: netmask 255.255.255.0 start 172.16.1.100 end 172.16.1.150 type generic, total addresses 2, allocated 1 (50%), misses 9 Router#
The Hits field shows the total number of times that the router has had to create new translation table entries. The Misses field counts the exceptions. In this case, there is an access-list that excludes certain internal IP addresses.