There are two commands used to verify the NAT configuration on a router. The show ip nat translations command shows the translations in the NAT table: The following is an example of its output:
Border#show ip nat translations
Pro Inside global Inside local Outside local Outside global 200.1.1.25 10.1.1.25
200.1.1.26 10.1.1.25
---tcp 200.1.1.50:25 10.1.1.50:25 206.1.1.25:25 206.1.1.25:25 tcp 200.1.1.51:514 10.1.1.51:514 155.1.9.6:1021 155.1.9.6:1021 Border#
Adding the verbose keyword at the end of the command will display more information about each NAT table entry. These items include how long ago the entry was created, when it was last used, and how long before the entry will expire. The following is the output from add-ing the verbose keyword:
Border#show ip nat translations verbose
Pro Inside global Inside local Outside local Outside global 200.1.1.25 10.1.1.25
create 2d18h, use 2d18h, flags: static, use_count: 0 200.1.1.26 10.1.1.26 create 2d18h, use 2d18h, flags: static, use_count: 0 tcp 200.1.1.50:25 10.1.1.50:25 206.1.1.25:25 206.1.1.25:25 create 05:53:05, use 05:53:05, left 18:06:54, flags: extended, ➥use_count: 0
tcp 200.1.1.51:514 10.1.1.51:514 155.1.9.6:1021 155.1.9.6:1021 create 02:22:51, use 00:22:28, left 23:37:31, flags: extended, ➥use_count: 0
Border#
4421.book Page 95 Tuesday, February 1, 2005 2:52 PM
The second command is used to display the statistics and configuration information for NAT. The show ip nat statistics command displays the following information about the NAT table and statistics:
Border#show ip nat statistics
Total active translations: 4 (2 static, 2 dynamic; 2 extended) Outside interfaces:
Serial0
Inside interfaces:
Ethernet0
Hits: 13654693 Misses: 42 Expired translations: 1202 Dynamic mappings:
-- Inside Source
[Id: 1] access-list 12 pool outbound refcount 5 pool outbound: netmask 255.255.255.0
start 200.1.1.2 end 200.1.1.254
type generic, total addresses 252, allocated 4 (2%), misses 0 Border#
The debug ip nat command is used to troubleshoot NAT problems on the router. In the following output you will notice that the inside local source address of 10.1.1.25, which gets translated to an inside global source address of 200.1.1.25, is sending a packet to the destina-tion address 206.1.1.25. An arrow (—>) symbol indicates that the packet was translated, and an asterisk (*) symbol indicates that the packet is traveling through the fast path. The first packet in a conversation will be processed through a process-switched or slow path, and additional packets will be able to be switched faster through the fast path. The following example shows the output from the debug ip nat command:
Border#debug ip nat IP NAT debugging is on Border#
NAT: s=10.1.1.25->200.1.1.25, d=206.1.1.25 [0]
NAT: s=206.1.1.25, d=200.1.1.25->10.1.1.25 [0]
NAT: s=10.1.1.25->200.1.1.25, d=206.1.1.25 [1]
NAT: s=10.1.1.25->200.1.1.25, d=206.1.1.25 [2]
NAT: s=10.1.1.25->200.1.1.25, d=206.1.1.25 [3]
NAT*: s=206.1.1.25, d=200.1.1.25->10.1.1.25 [1]
NAT: s=10.1.1.25->200.1.1.25, d=206.1.1.25 [4]
NAT: s=10.1.1.25->200.1.1.25, d=206.1.1.25 [5]
NAT: s=10.1.1.25->200.1.1.25, d=206.1.1.25 [6]
NAT*: s=206.1.1.25, d=200.1.1.25->10.1.1.25 [2]
Border#
Summary 97
Once debugging is enabled, it remains in effect until you turn it off with the no debug ip nat command; to turn off all debugging, use the undebug all command.
Turning on debugging information in a production router can have a significant impact on performance.
Occasionally, you will need to delete a NAT translation from the NAT table. Sometimes NAT is configured properly, but translations need to be cleared and reset to resolve a problem.
Table 3.1 shows the commands used to clear the NAT table.
Often, the router will not allow you to remove or change the NAT configuration because dynamic translations have been created. When this occurs, you need to remove the inside or outside designation from an interface so translations can-not be created. When this happens, all NAT translations stop on the router. Then you can clear the translations and reconfigure or remove the NAT configuration.
Summary
As the Internet grows and companies need more and more IP addresses, the number of available IP addresses diminishes. This is one of the main reasons for the implementation of NAT and PAT. You need to understand how NAT and PAT work and how to configure each technology.
NAT and PAT enable a private IP network using non-registered IP addresses to access outside T A B L E 3 . 1 Commands to Clear the NAT Table
Command Meaning
clear ip nat translation * Clears all NAT table entries.
clear ip nat translation inside global-ip Clears the inside NAT translation table entry for the specified IP address.
clear ip nat translation outside local-ip Clears the outside NAT translation table entry for the specified IP address.
clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip local-port global-ip global-port]
Clears the specific extended NAT table entry represented by the global and local IP addresses and ports.
4421.book Page 97 Tuesday, February 1, 2005 2:52 PM
networks such as the Internet. NAT also can translate the addresses of two overlapping net-works, such as when two companies merge that are using the same IP address space.
There are some disadvantages of using NAT and PAT in a network. Specifically, they don’t allow for full end-to-end communications between two hosts using their configured addresses, making troubleshooting a challenge at times. Some protocols and applications carry IP address information in the payload of the packet, and the embedded IP addresses might not get trans-lated by the NAT border router.
There are many IOS commands used for viewing NAT configuration and troubleshooting NAT problems. The show ip nat translation command is one of the most useful, in addi-tion to debug ip nat.
Exam Essentials
Understand how NAT and PAT operate. NAT is a technology, specified in RFC 1631 and RFC 3022, used to hide network addresses behind one or more IP addresses. A company can use IP addresses set aside by RFC 1918 on their internal networks and use a pool of Internet-routable IP addresses to connect their company to the Internet. PAT is similar to NAT but with a single IP address, and the port numbers are changed to make each connection unique.
Know the advantages of NAT and PAT. The advantages of NAT and PAT are that they allow an entire network to hide behind one or more IP addresses and that they allow a certain level of security and allow a company to change ISPs without having to renumber their entire network. NAT also allows a basic level of load-balancing between multiple hosts performing the same function.
Know the disadvantages of NAT and PAT. The disadvantages of NAT and PAT are that there are some protocols and applications that will not work because they carry IP address information in the payload of the packets they send and they do not provide end-to-end signif-icance for the IP address. Cisco IOS corrects some of these problems with the more popular pro-tocols and applications, but it cannot cover them all. There also can be a significant delay in translating IP addresses, which introduces latency in the communications path and causes appli-cation performance problems.
Understand how to configure NAT and PAT using Cisco IOS. One option when configuring NAT is to use dynamic NAT using a pool of IP addresses or by using the IP address of the out-bound interface. You can also reuse those IP addresses by using the overload feature, which sometimes is called PAT. You can also configure a static NAT translation from an inside local IP address to an inside global IP address. A static translation can also be configured based upon both the IP address and port values.
Know the troubleshooting commands for NAT and PAT. The commands used to trouble-shoot NAT are show ip nat translations with the optional verbose keyword and debug ip nat. The latter command will log NAT events as they occur on the router. The show ip nat statistics command is used to not only display how many translations are active but also to see the NAT configuration on the router.