Troubleshooting NAT
Using the debug ip nat command can assist you when troubleshooting NAT problems. In the
following output, you will notice that the source address 10.1.2.5 is sending a packet to the destination
address 206.1.2.5. An arrow (—>) indicates that a packet’s source address was translated.
An asterisk (*) indicates that a packet is traveling through the fast path or the hardware
processing path. A packet in a conversation with another node will always first travel through
a process-switched slow path or the software processing path. Additional packets used in that
flow will go through the fast path if there is a cache entry for the source and destination address.
Here is the output from the described scenario:
BorderRouter#debug ip nat
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [0]
NAT: s=206.1.2.5, d=200.1.2.25->10.1.2.5 [0]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [1]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [2]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [3]
NAT*: s=206.1.2.5, d=200.1.2.25->10.1.2.5 [1]
NAT: s=206.1.2.5, d=200.1.2.25->10.1.2.5 [1]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [4]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [5]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [6]
NAT*: s=206.1.2.5, d=200.1.2.25->10.1.2.5 [2]
Two parameters can be used with the debug ip nat command: list and
detailed. The value in brackets is the IP identification number. This information
enables you to correlate these trace packets with other packet traces from
sniffers used for troubleshooting in the network. (Sniffers are devices that can
be used to look at the traffic flowing through the network.)