Occasionally, NAT is properly configured but translations are not occurring. Most of the time,
clearing the NAT translations resolves the problem. Table 31.1 shows the available commands
for clearing the NAT table.
TABLE 3 1 . 1 Commands Available to Clear the NAT Table
Command Meaning
clear ip nat translation * Clears all NAT table entries.
clear ip nat translation inside global-ip Clears all inside NAT table simple translation
entries.
clear ip nat translation outside local-ip Clears all outside NAT table simple translation
entries.
clear ip nat translation protocol inside
global-ip global-port local-ip local-port
[outside local-ip local-port global-ip
global-port]
Clears all NAT table extended entries
IT Certification CCIE,CCNP,CCIP,CCNA,CCSP,Cisco Network Optimization and Security Tips
Troubleshooting NAT
Troubleshooting NAT
Using the debug ip nat command can assist you when troubleshooting NAT problems. In the
following output, you will notice that the source address 10.1.2.5 is sending a packet to the destination
address 206.1.2.5. An arrow (—>) indicates that a packet’s source address was translated.
An asterisk (*) indicates that a packet is traveling through the fast path or the hardware
processing path. A packet in a conversation with another node will always first travel through
a process-switched slow path or the software processing path. Additional packets used in that
flow will go through the fast path if there is a cache entry for the source and destination address.
Here is the output from the described scenario:
BorderRouter#debug ip nat
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [0]
NAT: s=206.1.2.5, d=200.1.2.25->10.1.2.5 [0]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [1]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [2]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [3]
NAT*: s=206.1.2.5, d=200.1.2.25->10.1.2.5 [1]
NAT: s=206.1.2.5, d=200.1.2.25->10.1.2.5 [1]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [4]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [5]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [6]
NAT*: s=206.1.2.5, d=200.1.2.25->10.1.2.5 [2]
Two parameters can be used with the debug ip nat command: list and
detailed. The value in brackets is the IP identification number. This information
enables you to correlate these trace packets with other packet traces from
sniffers used for troubleshooting in the network. (Sniffers are devices that can
be used to look at the traffic flowing through the network.)
Using the debug ip nat command can assist you when troubleshooting NAT problems. In the
following output, you will notice that the source address 10.1.2.5 is sending a packet to the destination
address 206.1.2.5. An arrow (—>) indicates that a packet’s source address was translated.
An asterisk (*) indicates that a packet is traveling through the fast path or the hardware
processing path. A packet in a conversation with another node will always first travel through
a process-switched slow path or the software processing path. Additional packets used in that
flow will go through the fast path if there is a cache entry for the source and destination address.
Here is the output from the described scenario:
BorderRouter#debug ip nat
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [0]
NAT: s=206.1.2.5, d=200.1.2.25->10.1.2.5 [0]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [1]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [2]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [3]
NAT*: s=206.1.2.5, d=200.1.2.25->10.1.2.5 [1]
NAT: s=206.1.2.5, d=200.1.2.25->10.1.2.5 [1]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [4]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [5]
NAT: s=10.1.2.5->200.1.2.25, d=206.1.2.5 [6]
NAT*: s=206.1.2.5, d=200.1.2.25->10.1.2.5 [2]
Two parameters can be used with the debug ip nat command: list and
detailed. The value in brackets is the IP identification number. This information
enables you to correlate these trace packets with other packet traces from
sniffers used for troubleshooting in the network. (Sniffers are devices that can
be used to look at the traffic flowing through the network.)
Verifying NAT Configuration
To aid in verifying the configuration of NAT, you can use two specific commands. The show ip
nat translation command shows the translations in the NAT table and the output in the following
simple example:
BorderRouter(config)#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 200.1.1.25 10.1.1.25 --- ---
--- 200.1.1.26 10.1.1.26 --- ---
You can use the same command with an additional parameter to get more information about
each NAT table entry. The show ip nat translation verbose command displays more
information about each NAT table entry, such as the time left until the entry in the NAT table
expires, as shown here:
BorderRouter(config)#show ip nat translations verbose
Pro Inside global Inside local Outside local Outside global
--- 200.1.1.25 10.1.1.25 --- ---
create 00:05:01, use 00:00:00, left 23:12:40, flags: none
--- 200.1.1.26 10.1.1.26 --- ---
create 00:04:29, use 00:00:00, left 23:13:10, flags: none
The second command is used to display statistics and configuration information about NAT
running on the router. The show ip nat statistics command displays information about
the NAT table, as shown here:
BorderRouter(config)# show ip nat statistics
Total active translations:2(0 static, 2 dynamic,0 extended)
Outside interfaces: Loopback 0, Serial1
Inside interface: Serial0
Hits: 243 Misses: 2
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list 2 pool insidepool refcount 1
pool insidepool: netmask 255.255.255.0
start 200.1.1.1 end 200.1.1.4
type generic,total address 5,allocated 2 (50%),misses 0
nat translation command shows the translations in the NAT table and the output in the following
simple example:
BorderRouter(config)#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 200.1.1.25 10.1.1.25 --- ---
--- 200.1.1.26 10.1.1.26 --- ---
You can use the same command with an additional parameter to get more information about
each NAT table entry. The show ip nat translation verbose command displays more
information about each NAT table entry, such as the time left until the entry in the NAT table
expires, as shown here:
BorderRouter(config)#show ip nat translations verbose
Pro Inside global Inside local Outside local Outside global
--- 200.1.1.25 10.1.1.25 --- ---
create 00:05:01, use 00:00:00, left 23:12:40, flags: none
--- 200.1.1.26 10.1.1.26 --- ---
create 00:04:29, use 00:00:00, left 23:13:10, flags: none
The second command is used to display statistics and configuration information about NAT
running on the router. The show ip nat statistics command displays information about
the NAT table, as shown here:
BorderRouter(config)# show ip nat statistics
Total active translations:2(0 static, 2 dynamic,0 extended)
Outside interfaces: Loopback 0, Serial1
Inside interface: Serial0
Hits: 243 Misses: 2
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list 2 pool insidepool refcount 1
pool insidepool: netmask 255.255.255.0
start 200.1.1.1 end 200.1.1.4
type generic,total address 5,allocated 2 (50%),misses 0
Configuring NAT to Perform Overlapping
Configuring NAT to Perform Overlapping
Address Translation
Configuring NAT to perform overlapping address translation is similar to configuring dynamic
NAT. The difference is that you must identify and apply a pool of addresses for the NAT border
router interface connecting to the inside network interface, as well as a pool to allow for connection
to the outside network.
You will start the NAT configuration process in global configuration mode. The pool of
addresses used in the inside network is 10.1.2.1 to 10.1.2.254. On the outside interface, you will
configure a smaller pool of addresses that are globally routable on the Internet, assuming not
all 100 of your PCs will need to access the outside network at the same time. The pool of
addresses you will configure will be 200.1.1.1 to 200.1.1.50. It is assumed that the NAT border
router is configured with routing, and the interfaces are configured with the proper IP addresses.
Again, assume that your inside network is connected to the Ethernet 0 interface on the router,
and the serial 0 interface connects your NAT border router to the outside network.
To configure the NAT router to perform overlapping address translation, complete the following
steps:
1. Define a standard IP access list for the IP addresses on the inside network, as discussed earlier
in the “Configuring Dynamic NAT, Inside Global Address Overloading, and TCP Load
Distribution” section. The access list needs to be configured to permit traffic on the inside
network that needs to be translated by NAT:
BorderRouter(config)#access-list 2 permit 10.1.2.0 0.0.0.255
2. Define an IP NAT pool for the inside network addresses. The pool name will be called
outsidepool, and the range of addresses is 192.168.1.1 to 192.168.1.253. The final syntax
indicates the number of bits for the subnet mask. You can also use the command
netmask 255.255.255.0 as shown in step 3, which also identifies a 24-bit subnet mask.
The pool does not include address 192.168.1.254 because that is the NAT border router’s
inside interface IP address:
BorderRouter(config)#ip nat pool outsidepool 192.168.1.1 192.168.1.253
➥prefix-length 24
3. Define an IP NAT pool for the inside local network addresses. The pool name will be called
insidepool, and the range of addresses is 200.1.1.1 to 200.1.1.50:
BorderRouter(config)#ip nat pool insidepool 200.1.1.1 200.1.1.50 netmask
➥255.255.255.0
4. Next, associate the previously created access list to the previously created inside NAT pool
with the following command:
BorderRouter(config)#ip nat inside source list 2 pool insidepool
Again, you can use the overload command after the NAT pool name to reuse
IP addresses in the pool.
5. Also, associate the same access list used in the previous command to the outside NAT pool
with the following command:
BorderRouter(config)# ip nat outside source list 2 pool
➥outsidepool
6. For NAT to work, you must first configure the interface that connects your inside network
to the router. To configure Ethernet 0 as the inside NAT interface, use the following commands
from global configuration mode:
BorderRouter(config)#interface e0
BorderRouter(config-if)#ip nat inside
BorderRouter(config-if)#
7. Next, you need to enable NAT on the serial 0 interface connected to your outside network.
From global configuration mode, use the following commands:
BorderRouter(config)#interface s0
BorderRouter(config-if)#ip nat outside
BorderRouter(config-if)#
The finished NAT router configuration follows:
ip nat pool insidepool200.1.1.1 200.1.1.50 netmask 255.255.255.0
ip nat pool outsidepool 192.168.1.1 192.168.1.253prefix-length 24
ip nat outside source list 2 pool outsidepool
ip nat inside source list 2 pool insidepool!
interface Serial0
ip address 200.1.1.51 255.255.255.0
ip nat outside
!
interface Ethernet0
ip address 10.1.2.254 255.255.255.0
ip nat inside
!
access-list 2 permit 10.1.2.0 0.0.0.255
Address Translation
Configuring NAT to perform overlapping address translation is similar to configuring dynamic
NAT. The difference is that you must identify and apply a pool of addresses for the NAT border
router interface connecting to the inside network interface, as well as a pool to allow for connection
to the outside network.
You will start the NAT configuration process in global configuration mode. The pool of
addresses used in the inside network is 10.1.2.1 to 10.1.2.254. On the outside interface, you will
configure a smaller pool of addresses that are globally routable on the Internet, assuming not
all 100 of your PCs will need to access the outside network at the same time. The pool of
addresses you will configure will be 200.1.1.1 to 200.1.1.50. It is assumed that the NAT border
router is configured with routing, and the interfaces are configured with the proper IP addresses.
Again, assume that your inside network is connected to the Ethernet 0 interface on the router,
and the serial 0 interface connects your NAT border router to the outside network.
To configure the NAT router to perform overlapping address translation, complete the following
steps:
1. Define a standard IP access list for the IP addresses on the inside network, as discussed earlier
in the “Configuring Dynamic NAT, Inside Global Address Overloading, and TCP Load
Distribution” section. The access list needs to be configured to permit traffic on the inside
network that needs to be translated by NAT:
BorderRouter(config)#access-list 2 permit 10.1.2.0 0.0.0.255
2. Define an IP NAT pool for the inside network addresses. The pool name will be called
outsidepool, and the range of addresses is 192.168.1.1 to 192.168.1.253. The final syntax
indicates the number of bits for the subnet mask. You can also use the command
netmask 255.255.255.0 as shown in step 3, which also identifies a 24-bit subnet mask.
The pool does not include address 192.168.1.254 because that is the NAT border router’s
inside interface IP address:
BorderRouter(config)#ip nat pool outsidepool 192.168.1.1 192.168.1.253
➥prefix-length 24
3. Define an IP NAT pool for the inside local network addresses. The pool name will be called
insidepool, and the range of addresses is 200.1.1.1 to 200.1.1.50:
BorderRouter(config)#ip nat pool insidepool 200.1.1.1 200.1.1.50 netmask
➥255.255.255.0
4. Next, associate the previously created access list to the previously created inside NAT pool
with the following command:
BorderRouter(config)#ip nat inside source list 2 pool insidepool
Again, you can use the overload command after the NAT pool name to reuse
IP addresses in the pool.
5. Also, associate the same access list used in the previous command to the outside NAT pool
with the following command:
BorderRouter(config)# ip nat outside source list 2 pool
➥outsidepool
6. For NAT to work, you must first configure the interface that connects your inside network
to the router. To configure Ethernet 0 as the inside NAT interface, use the following commands
from global configuration mode:
BorderRouter(config)#interface e0
BorderRouter(config-if)#ip nat inside
BorderRouter(config-if)#
7. Next, you need to enable NAT on the serial 0 interface connected to your outside network.
From global configuration mode, use the following commands:
BorderRouter(config)#interface s0
BorderRouter(config-if)#ip nat outside
BorderRouter(config-if)#
The finished NAT router configuration follows:
ip nat pool insidepool200.1.1.1 200.1.1.50 netmask 255.255.255.0
ip nat pool outsidepool 192.168.1.1 192.168.1.253prefix-length 24
ip nat outside source list 2 pool outsidepool
ip nat inside source list 2 pool insidepool!
interface Serial0
ip address 200.1.1.51 255.255.255.0
ip nat outside
!
interface Ethernet0
ip address 10.1.2.254 255.255.255.0
ip nat inside
!
access-list 2 permit 10.1.2.0 0.0.0.255
Subscribe to:
Posts (Atom)