CCIE Practical Studies, Volume I
| < Free Open Study > |
The "Big show" and "Big D" for NAT
The "big show " commands for NAT are show ip nat translations for detailed NAT table listings and show ip nat statistics for a broader view of the translations occurring on the router. The show ip nat translations command displays all NAT translations on the router. It lists the protocol, along with the inside and outside global and local translations. Example 15-8 demonstrates the use of the command from the previous Easy IP model. This example shows two workstations, 172.16.1.10 and 172.16.1.11, accessing two hosts on the Internet, using the same inside local address, 206.191.194.42. The address 206.191.194.42 was the address assigned dynamically from the ISP when you connected. Example 15-8 show ip nat translations Command Output
easyip_router# show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 206.191.194.42:1169 172.16.1.10:1169 198.133.219.25:80 198.133.219.25:80 tcp 206.191.194.42:1168 172.16.1.10:1168 198.133.219.25:80 198.133.219.25:80 tcp 206.191.194.42:1171 172.16.1.10:1171 198.133.219.25:80 198.133.219.25:80 tcp 206.191.194.42:1170 172.16.1.10:1170 198.133.219.25:80 198.133.219.25:80 tcp 206.191.194.42:1173 172.16.1.10:1173 198.133.219.25:80 198.133.219.25:80 tcp 206.191.194.42:1172 172.16.1.10:1172 198.133.219.25:80 198.133.219.25:80 tcp 206.191.194.42:1167 172.16.1.10:1167 198.133.219.25:80 198.133.219.25:80 udp 206.191.194.42:1050 172.16.1.11:1050 206.191.193.1:53 206.191.193.1:53 udp 206.191.194.42:1048 172.16.1.11:1048 206.191.193.1:53 206.191.193.1:53 udp 206.191.194.42:1049 172.16.1.11:1049 206.191.193.1:53 206.191.193.1:53 udp 206.191.194.42:1046 172.16.1.11:1046 206.191.193.1:53 206.191.193.1:53 udp 206.191.194.42:1044 172.16.1.11:1044 206.191.193.1:53 206.191.193.1:53 tcp 206.191.194.42:1045 172.16.1.11:1045 63.251.8.23:80 63.251.8.23:80 udp 206.191.194.42:1057 172.16.1.11:1057 206.191.193.1:53 206.191.193.1:53 easyip_router#
NOTE The easiest way to test NAT in any of the three configurations is to test for IP connectivity from the inside network to a host on the outside network. This can be accomplished with a source ping, assuming that you're translating ICMP traffic.
The show ip nat statistics command summarizes NAT's operation on the router. It lists the active translations and tells whether they are static, dynamic, or extended. This command also shows the NAT inside and outside interfaces. Example 15-9 lists the output of this command on the easy_ip router. Example 15-9 show ip nat statistics Command
easyip_router# show ip nat statistics Total active translations: 12 (0 static, 12 dynamic; 12 extended) Outside interfaces: BRI0:1, BRI0:2, Dialer10, Virtual-Access1 Inside interfaces: Ethernet0 Hits: 2304 Misses: 190 Expired translations: 134 Dynamic mappings: -- Inside Source access-list 10 interface Dialer10 refcount 12 In this example, the translations are all dynamic and extended. In the code, Hits refers to the number of times that Cisco IOS Software does a translation table lookup and finds an entry, whereas Misses refers to the number of times that it fails to find an existing translation and must create a new one. Expired translations lists a cumulative count of translations that have expired since the router was booted . The show ip nat translations verbose command displays more detailed information about each translation than the show ip nat translations command, including the time it was created, the time it was in use, and expiration time. Any flags, such as extended port translation, are also noted. Example 15-10 lists the output of the command from the previous Easy IP example. Example 15-10 show ip nat translation verbose Command Output
easyip_router# show ip nat translations verbose Pro Inside global Inside local Outside local Outside global tcp 206.191.194.42:1066 172.16.1.11:1066 128.11.25.241:80 128.11.25.241:80 create 00:00:23, use 00:00:22, left 23:59:37, flags:extended tcp 206.191.194.42:1063 172.16.1.11:1063 128.11.25.252:80 128.11.25.252:80 create 00:00:23, use 00:00:23, left 23:59:36, flags:extended tcp 206.191.194.42:1065 172.16.1.11:1065 128.11.25.241:80 128.11.25.241:80 create 00:00:23, use 00:00:23, left 23:59:36, flags:extended easyip_router# A limited number of debugs are available for NAT, and they all stem from the debug ip nat command. The syntax is as follows : debug ip nat [ detailed ] The debug ip nat command displays each individual port and address pair association of all active translations. The detailed variation of this command adds additional information with an interface perspective. It also displays port negotiation messages. A heavy warning is warranted to anyone using this command on a production router: The output from a single workstation can be high. Notice in Example 15-11 how many messages are generated per millisecond on a single workstation. Use this command only to track down specific NAT problems. Example 15-11 debug ip nat detailed Output from the easy_ip Router
easyip_router# debug ip nat detailed IP NAT detailed debugging is on 00:24:07: NAT: i: udp (172.16.1.10, 137) -> (206.191.193.1, 53) [25601] 00:24:07: NAT: ipnat_allocate_port: wanted 137 got 137 00:24:07: NAT: s=172.16.1.10->206.191.194.42, d=206.191.193.1 [25601] 00:24:07: NAT: o: udp (206.191.193.1, 53) -> (206.191.194.42, 137) [44225] 00:24:07: NAT: s=206.191.193.1, d=206.191.194.42->172.16.1.10 [44225] 00:24:51: NAT: i: udp (172.16.1.10, 1046) -> (206.191.193.1, 53) [25857] 00:24:51: NAT: ipnat_allocate_port: wanted 1046 got 1046 00:24:51: NAT: s=172.16.1.10->206.191.194.42, d=206.191.193.1 [25857] 00:24:51: NAT: o: udp (206.191.193.1, 53) -> (206.191.194.42, 1046) [22909] 00:24:51: NAT: s=206.191.193.1, d=206.191.194.42->172.16.1.10 [22909] 00:24:51: NAT: i: udp (172.16.1.10, 1047) -> (206.191.193.1, 53) [26113] 00:24:51: NAT: ipnat_allocate_port: wanted 1047 got 1047
CAUTION Use the debug ip nat commands with extreme caution. A single workstation can generate several entries per millisecond. Use the command with the logging buffered global configuration command.
|
| < Free Open Study > |