Monitoring and Maintaining NAT
ErrorMessage : Error while constructing the Hinav

null
Downloads: This chapterpdf (PDF - 190.0KB) | Feedback

Monitoring and Maintaining NAT

Table Of Contents

Monitoring and Maintaining NAT

Finding Feature Information

Contents

Prerequisites for Monitoring and Maintaining NAT

Information About Monitoring and Maintaining NAT

NAT Display Contents

Translation Entries

Statistical Information

Syslog Analysis

How to Monitor and Maintain NAT

Displaying NAT Translation Information

Examples

Clearing NAT Entries Before the Timeout

Enabling Syslog for Logging NAT Translations

Prerequisites

Enabling High Speed Logging of NAT Translations

Configuration Examples for Monitoring and Maintaining NAT

Clearing UDP NAT Translations: Example

Enabling Syslog: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for Monitoring and Maintaining NAT


Monitoring and Maintaining NAT


First Published: May 2, 2007
Last Updated: November 6, 2009

This module describes how to:

Monitor Network Address Translation (NAT) using translation information and statistics displays.

Maintain NAT by clearing NAT translations before the timeout has expired.

Enable logging of NAT translation by way of syslog to log and track system error messages, exceptions, and other information.

Finding Feature Information

For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Monitoring and Maintaining NAT" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for Monitoring and Maintaining NAT

Information About Monitoring and Maintaining NAT

How to Monitor and Maintain NAT

Configuration Examples for Monitoring and Maintaining NAT

Additional References

Prerequisites for Monitoring and Maintaining NAT

Before performing the tasks in the module, you should be familiar with the concepts described in the "Configuring NAT for IP Address Conservation" module and have NAT configured.

Information About Monitoring and Maintaining NAT

Before performing the tasks in this module, you should understand the following concepts:

NAT Display Contents

Syslog Analysis

NAT Display Contents

The two basic types of IP NAT translation information are described in the following sections:

Translation Entries

Statistical Information

Translation Entries

Translation entry information includes the following:

The protocol of the port identifying the address.

The legitimate IP address that represents one or more inside local IP addresses to the outside world.

The IP address assigned to a host on the inside network; probably not a legitimate address assigned by the NIC or service provider.

The IP address of an outside host as it appears to the inside network; probably not a legitimate address assigned by the NIC or service provider.

The IP address assigned to a host on the outside network by its owner.

The time since the entry was created (in hours:minutes:seconds).

The time since the entry was last used (in hours:minutes:seconds).

Flags indicating the type of translation. Possible flags are:

extended—Extended translation.

static—Static translation.

destination—Rotary translation.

outside—Outside translation.

timing out—Translation will be aged out or removed soon, due to a TCP finish (FIN) or reset (RST) flag.

Statistical Information

Statistical information includes the following:

The total number of translations active in the system. This number is incremented each time a translation is created and is decremented each time a translation is cleared or times out.

A list of interfaces marked as outside with the ip nat outside command.

A list of interfaces marked as inside with the ip nat inside command.

The number of times the software does a translations table lookup and finds an entry.

The number of times the software does a translations table lookup, fails to find an entry, and must try to create one.

A cumulative count of translations that have expired since the router was booted.

Information about dynamic mappings.

Information about an inside source translation.

The access list number being used for the translation.

The name of the pool.

The number of translations using this pool.

The IP network mask being used in the pool.

The starting IP address in the pool range.

The ending IP address in the pool range.

The type of pool. Possible types are generic or rotary.

The number of addresses in the pool available for translation.

The number of addresses being used.

The number of failed allocations from the pool.

NAT does not support Access Control Lists (ACL) with the log option. The same functionality can be achieved by using one of the following options:

By having a physical interface or VLAN with the logging option

By using NetFlow

By using the syslog feature

Syslog Analysis

The Syslog Analysis feature lets you centrally log and track system error messages, exceptions, and other information (such as device configuration changes). You can use the logged error message data to analyze router and network performance. You can customize Syslog Analysis to produce the information and message reports important to your operation.

For more information see the Resource Manager Essentials and Syslog Analysis: How-To document:

http://www.cisco.com/warp/public/477/RME/rme_syslog.html

How to Monitor and Maintain NAT

This section contains the following procedures:

Displaying NAT Translation Information (optional)

Clearing NAT Entries Before the Timeout (optional)

Enabling High Speed Logging of NAT Translations (optional)

Displaying NAT Translation Information

Perform this task to display translation data and statistical information.

SUMMARY STEPS

1. enable

2. show ip nat translations [verbose]

3. show ip nat statistics

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

show ip nat translations [verbose]

Example:

Router# show ip nat translations

(Optional) Displays active NAT translations.

Step 3 

show ip nat statistics

Example:

Router# show ip nat statistics

(Optional) Displays active NAT translation statistics.

Examples

This section contains the following examples:

Displaying NAT Translations

Displaying NAT Statistics

Displaying NAT Translations

The following is sample output from the show ip nat translations command.

Router# show ip nat translations

Pro Inside global         Inside local       Outside local        Outside global
tcp 192.168.1.1:514      192.168.2.3:53     192.168.2.22:256     192.168.2.22:256
tcp 192.168.1.1:513      192.168.2.2:53     192.168.2.22:256     192.168.2.22:256
tcp 192.168.1.1:512      192.168.2.4:53     192.168.2.22:256     192.168.2.22:256

Total number of translations: 3

The following is sample output that includes the verbose keyword:

Router# show ip nat translations verbose

Pro Inside global        Inside local       Outside local      Outside global

tcp 192.168.1.1:514      192.168.2.3:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/09 10:51:48, use 04/09/09 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef80350, use_count:1

tcp 192.168.1.1:513      192.168.2.2:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/09 10:51:48, use 04/09/09 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef801b0, use_count:1

tcp 192.168.1.1:512      192.168.2.4:53     192.168.2.22:256     192.168.2.22:256
         create 04/09/09 10:51:48, use 04/09/09 10:52:31, timeout: 00:01:00
         Map-Id(In):1, Mac-Address: 0000.0000.0000 Input-IDB: GigabitEthernet0/3/1
          entry-id: 0x8ef80280, use_count:1

Total number of translations: 3

Displaying NAT Statistics

The following is sample output from the show ip nat statistics command:

Router# show ip nat statistics

Total active translations: 3 (0 static, 3 dynamic; 3 extended)  
Outside interfaces:  
GigabitEthernet0/3/0  
Inside interfaces:  
GigabitEthernet0/3/1  
Hits: 3228980 Misses: 3  
CEF Translated packets: 0, CEF Punted packets: 0  
Expired translations: 0  
Dynamic mappings:  
-- Inside Source  
[Id: 1] access-list 1 pool pool1 refcount 3  
  pool pool1: netmask 255.255.255.0  
  start 198.168.1.1 end 198.168.254.254  
  type generic, total addresses 254, allocated 0 (0%), misses 0  
  longest chain in pool: pool1's addr-hash: 0, average len 0,chains 0/256  
  Pool stats drop: 0 Mapping stats drop: 0  
  Port block alloc fail: 0  
  IP alias add fail: 0  
  Limit entry add fail: 0  

Clearing NAT Entries Before the Timeout

By default, dynamic address translations will time out from the NAT translation table at some point. Perform this task to clear the translation entries before the timeout.

SUMMARY STEPS

1. enable

2. clear ip nat translation inside global-ip local-ip outside local-ip global-ip

3. clear ip nat translation outside global-ip local-ip

4. clear ip nat translation protocol inside global-ip global-port local-ip local-port outside local-ip local-port global-ip global-port

5. clear ip nat translation {* | forced | [inside global-ip local-ip] [outside local-ip global-ip]}

6. clear ip nat translation inside global-ip local-ip [forced]

7. clear ip nat translation outside local-ip global-ip [forced]

DETAILED STEPS
 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

clear ip nat translation inside global-ip local-ip outside local-ip global-ip

Example:

Router# clear ip nat translation inside 192.168.2.209 192.168.2.95 outside

192.168.2.100 192.168.2.101

(Optional) Clears a single dynamic half-entry containing an inside translation, or both inside and outside translation created in a dynamic configuration.

A dynamic half-entry will be cleared only if it does not have any child translations.

Step 3 

clear ip nat translation outside global-ip local-ip

Example:

Router# clear ip nat translation outside 192.168.2.100 1220 192.168.2.80

(Optional) Clears a single dynamic half-entry containing an outside translation created in a dynamic configuration.

A dynamic half-entry will be cleared only if it does not have any child translations.

Step 4 

clear ip nat translation protocol inside global-ip global-port local-ip local-port outside local-ip local-port global-ip global-port

Example:

Router# clear ip nat translation udp inside 192.168.2.209 1220 192.168.2.195 1220 outside

192.168.2.13 53 192.168.2.132 53

(Optional) Clears a User Datagram Protocol (UDP) translation entry.

Step 5 

clear ip nat translation {* | forced | [inside global-ip local-ip] [outside local-ip global-ip]}

Example:

Router# clear ip nat translation *

(Optional) Clears either all dynamic translations (with the * or forced keyword), a single dynamic half-entry containing an inside translation, or a single dynamic half-entry containing an outside translation.

When clearing a single dynamic half-entry, it will be cleared only if it does not have any child translations.

Step 6 

clear ip nat translation inside global-ip local-ip [forced]

Example:

Router# clear ip nat translation inside 192.168.2.209 192.168.2.95 forced

(Optional) Forces the clearing of a single dynamic half-entry and its child translations containing an inside translation created in a dynamic configuration, with or without its corresponding outside translation.

A dynamic half-entry will always be cleared, regardless of whether it has any child translations.

Step 7 

clear ip nat translation outside local-ip global-ip [forced]

Example:

Router# clear ip nat translation outside 192.168.2.100 192.168.2.101 forced

(Optional) Forces the clearing of a single dynamic half-entry and its child translations containing an outside translation created in a dynamic configuration.

A dynamic half-entry will always be cleared, regardless of whether it has any child translations.

Enabling Syslog for Logging NAT Translations

The logging of NAT translations can be enabled and disabled by way of the syslog command.

Syslog Analysis lets you centrally log and track system error messages, exceptions, and other information (such as NAT translations). You can use the logged error message data to analyze router and network performance. You can customize Syslog Analysis to produce the information and message reports important to your operation.

Prerequisites

Prior to performing this task, you must enter the necessary syslog commands such as making sure that logging is enabled, configuring the server's IP address, and establishing the level of messages to be trapped. For an example, see the "Enabling Syslog: Example" section.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip nat log translations syslog

4. no logging console

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip nat log translations syslog

Example:

Router(config)# ip nat log translations syslog

Enables the syslog for logging NAT translations.

Step 4 

no logging console

Example:

Router(config)# no logging console

(Optional) Disables the log display to the console.

Logging to the console is enable by default.

Enabling High Speed Logging of NAT Translations

You can enable or disable high speed logging of all NAT translations or only translations for specific VPNs.

You must first use the ip nat log translations flow-export v9 udp destination command to enable high speed logging for all VPN and non-VPN translations. VPN translations are also know as VPN Routing and Forwarding (VRF) translations.

After you enable high speed logging for all NAT translations, you can then use the ip nat log translations flow-export v9 vrf-name command to enable or disable translations for specific VPNs. When you use this command, high speed logging is disabled for all VPNs except for the ones where it is explicitly enabled.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip nat log translations flow-export v9 udp destination addr port source interface interface-number

4. ip nat log translations flow-export v9 {vrf-name | global-on}

5. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip nat log translations flow-export v9 udp destination addr port source interface interface-number

Example:

Router(config)# ip nat log translations flow-export v9 udp destination 10.10.0.1 1020 source Ethernet 0/0

Enables the high speed logging of all VPN and non-VPN translations. The options are:

destination addr port — Destination address for which translations will be logged for non-VPN interfaces.

source interface interface-number — Source interface for which translations will be logged for non-VPN interfaces.

Step 4 

ip nat log translations flow-export v9 {vrf-name | global-on}

Example:

Router(config)# ip nat log translations flow-export v9 VPN-18

Enables or disables the high speed logging of specific NAT VPN translations. The options are:

vrf-name — Virtual Private Network (VPN) for which translations will be logged. The VPN is identified by the VPN Routing and Forwarding (VRF) network name.

global-on — Enables high speed logging for all Virtual Private Networks (VPNs).

Step 5 

exit

Example:

Router(config)# exit

(Optional) Disables the log display to the console.

Logging to the console is enable by default.

Configuration Examples for Monitoring and Maintaining NAT

This section provides the following configuration examples:

Clearing UDP NAT Translations: Example

Enabling Syslog: Example

Clearing UDP NAT Translations: Example

The following example shows the NAT entries before and after the UDP entry is cleared:

Router# show ip nat translations


Pro Inside global          Inside local       Outside local      Outside global
udp 192.168.2.20:1220     192.168.2.95:1220   192.168.2.22:53    192.168.2.20:53
tcp 192.168.2.20:11012    192.168.2.209:11012 171.69.1.220:23    192.168.2.20:23
tcp 192.168.2.20:1067     192.168.2.20:1067   192.168.2.20:23    192.168.2.20:23

Router# clear ip nat translation udp inside 192.168.2.20:1067 192.168.2.20:1067 
192.168.2.20:23 192.168.2.20:23

Router# show ip nat translations
 
Pro  Inside global      Inside local       Outside local      Outside global
udp  192.168.2.20:1220  192.168.2.95:1220  192.168.2.22:53    192.168.2.20:53
tcp  192.168.2.20:11012 192.168.2.209:11012 171.69.1.220:23   192.168.2.20:23

Enabling Syslog: Example

The following example shows how to enable the syslog for logging NAT translation entries:

Router(config)# logging on
Router(config)# logging 10.1.1.1
Router(config)# logging trap informational
Router(config)# ip nat log translations syslog

The format of NAT information logged (for example, for ICMP Ping via NAT Overload configurations) will be as follows:

Apr 25 11:51:29 [10.0.19.182.204.28] 1: 00:01:13: NAT:Created icmp
135.135.5.2:7 171 12.106.151.30:7171 54.45.54.45:7171
54.45.54.45:7171
Apr 25 11:52:31 [10.0.19.182.204.28] 8: 00:02:15: NAT:Deleted icmp
135.135.5.2:7 172 12.106.151.30:7172 54.45.54.45:7172
54.45.54.45:7172

Additional References

The following sections provide references related to Monitoring and Maintaining NAT.

Related Documents

Related Topic
Document Title

NAT commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

Cisco IOS IP Addressing Services Command Reference

IP addressing configuration tasks, concepts, and examples

Cisco IOS XE IP Addressing Services Configuration Guide

Resource Manager and Syslog Analysis

Resource Manager Essentials and Syslog Analysis: How-To


Standards

Standard
Title

None


MIBs

MIB
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title

None


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for Monitoring and Maintaining NAT

Table 1 lists the features in this module and provides links to specific configuration information.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.


Table 1 Feature Information for Monitoring and Maintaining NAT

Feature Name
Releases
Feature Information

NAT—Forced Clear of Dynamic NAT Half-Entries

Cisco IOS XE
Release 2.4.2

A second forced keyword was added to the clear ip nat translations command to enable the removal of half-entries regardless of whether they have any child translations.

Filter the display of the translation table by specifying an inside or outside address.

Cisco IOS XE
Release 2.4.2

The show ip nat translations command was extended to include the inside and outside keywords.

NAT—Syslog

Cisco IOS XE
Release 2.1

Syslog Analysis lets you centrally log and track system error messages, exceptions, and other information (such as NAT translations). You can use the logged error message data to analyze router and network performance. You can customize Syslog Analysis to produce the information and message reports important to your operation.