The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This module describes how to:
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Before performing the tasks in this module, you must be familiar with the concepts described in the "Configuring NAT for IP Address Conservation" module and have NAT configured in your network.
There are two basic types of IP NAT translation information:
Translation entry information includes the following:
Statistical information includes the following:
NAT does not support ACL with the log option. The same functionality can be achieved by using one of the following options:
Syslog Analysis lets you centrally log and track system error messages, exceptions, and other information (such as device configuration changes). You can use the logged error message data to analyze router and network performance. You can customize Syslog Analysis to produce the information and message reports important to your operation.
For more information see the Resource Manager Essentials and Syslog Analysis: How-Todocument:
http://www.cisco.com/warp/public/477/RME/rme_syslog.html
This section contains the following examples:
The following is sample output from the show ip nat translations command. Without overloading, two inside hosts are exchanging packets with some number of outside hosts.
Router# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 192.168.2.1 192.168.2.12 --- ---
--- 192.168.2.21 192.168.2.89 --- --
With overloading, a translation for a Domain Name Server (DNS) transaction is still active, and translations for two Telnet sessions (from two different hosts) are also active. Note that two different inside hosts appear on the outside with a single IP address.
Router# show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 192.168.2.20:1220 192.168.2.95:1220 192.168.2.22:53 192.168.2.20:53
tcp 192.168.2.20:11012 192.168.2.209:11012 192.168.1.220:23 192.168.2.20:23
tcp 192.168.2.20:1067 192.168.2.20:1067 192.168.2.20:23 192.168.2.20:23
The following is sample output that includes the verbose keyword:
Router# show ip nat translations verbose
Pro Inside global Inside local Outside local Outside global
udp 192.168.2.20:1220 192.168.2.23:1220 192.168.2.24:53 192.168.2.25:53
create 00:00:02, use 00:00:00, flags: extended
tcp 192.168.2.23:11012 192.168.2.30:11012 192.168.2.20:23 192.168.2.28:23
create 00:01:13, use 00:00:50, flags: extended
tcp 192.168.2.24:1067 192.168.2.29:1067 192.168.2.20:23 192.168.2.50:23
create 00:00:02, use 00:00:00, flags: extended
The following is sample output from the show ip nat statistics command:
Router# show ip nat statistics
Total translations: 2 (0 static, 2 dynamic; 0 extended)
Outside interfaces: Serial0
Inside interfaces: Ethernet1
Hits: 135 Misses: 5
Expired translations: 2
Dynamic mappings:
-- Inside Source
access-list 1 pool net-208 refcount 2
pool net-208: netmask 255.255.255.240
start 192.168.0.0 end 192.168.255.255
type generic, total addresses 14, allocated 2 (14%), misses 0
By default, dynamic address translations will time out from the NAT translation table at some point. Perform this task to clear the entries before the timeout.
The logging of NAT translations can be enabled and disabled by way of the syslog command.
Syslog Analysis lets you centrally log and track system error messages, exceptions, and other information (such as NAT translations). You can use the logged error message data to analyze router and network performance. You can customize Syslog Analysis to produce the information and message reports important to your operation.
Prior to performing this task, you must specify the necessary syslog commands such as making sure that logging is enabled, configuring the server's IP address, and establishing the level of messages to be trapped.
The following example shows the NAT entries before and after the User Datagram Protocol (UDP) entry is cleared:
Router# show ip nat translation
Pro Inside global Inside local Outside local Outside global udp 192.168.2.20:1220 192.168.2.95:1220 192.168.2.22:53 192.168.2.20:53 tcp 192.168.2.20:11012 192.168.2.209:11012 171.69.1.220:23 192.168.2.20:23 tcp 192.168.2.20:1067 192.168.2.20:1067 192.168.2.20:23 192.168.2.20:23 Router# clear ip nat translation udp inside 192.168.2.20:1067 192.168.2.20:1067 outside 192.168.2.20:23 192.168.2.20:23 Router# show ip nat translation Pro Inside global Inside local Outside local Outside global udp 192.168.2.20:1220 192.168.2.95:1220 192.168.2.22:53 192.168.2.20:53 tcp 192.168.2.20:11012 192.168.2.209:11012 171.69.1.220:23 192.168.2.20:23
The following example shows how to NAT entries into syslog.
Router(config)# logging on Router(config)# logging 1.1.1.1 Router(config)# logging trap informational Router(Config)# ip nat log translations syslog
The format of NAT information logged (for example, for ICMP Ping via NAT Overload configurations) will be as follows:
Apr 25 11:51:29 [10.0.19.182.204.28] 1: 00:01:13: NAT:Created icmp 135.135.5.2:7 171 12.106.151.30:7171 54.45.54.45:7171 54.45.54.45:7171 Apr 25 11:52:31 [10.0.19.182.204.28] 8: 00:02:15: NAT:Deleted icmp 135.135.5.2:7 172 12.106.151.30:7172 54.45.54.45:7172 54.45.54.45:7172
The following sections provide references related to Monitoring and Maintaining NAT.
Related Topic |
Document Title |
---|---|
NAT commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples |
"IP Addressing Commands" chapter in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.3. |
Standard |
Title |
---|---|
None |
-- |
MIB |
MIBs Link |
---|---|
None |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFC |
Title |
---|---|
None |
-- |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for Monitoring and Maintaining NAT |
Feature Name |
Releases |
Feature Information |
---|---|---|
NAT--Forced Clear of Dynamic NAT Half-Entries
|
Cisco IOS 12.2 (33) XND |
A second forced keyword was added to the clear ip nat translation command to enable the removal of half-entries regardless of whether they have any child translations. |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.