Debugging NAT
Problem
You want to debug a NAT problem.
Solution
Cisco routers include a simple but useful debug facility for NAT. The basic form of the command is debug ip nat:
Router#debug ip nat
You can also add the detailed keyword to this command to get more information on each NAT event:
Router#debug ip nat detailed
It is often useful to use an access-list with the debug command. You can do this by simply specifying the number of the access-list. This will allow you to just look at NAT events for particular IP addresses that are permitted by the access-list:
Router#debug ip nat
15
You can also combine an access-list with the detailed keyword for more focused debugging:
Router#debug ip nat
15
detailed
Discussion
The following shows some typical log entries:
Router#terminal monitor
Router#debug ip nat
Sep 8 19:51:08.396 EDT: NAT: s=192.168.3.1->192.168.19.1, d=192.168.3.2 [0] Sep 8 19:51:11.560 EDT: NAT*: s=192.168.1.10->192.168.19.55, d=192.168.3.2 [490 9] Sep 8 19:51:11.568 EDT: NAT*: s=192.168.3.2, d=192.168.19.55->192.168.1.10 [490 9] Sep 8 19:51:11.572 EDT: NAT: s=192.168.3.2, d=192.168.19.55->192.168.1.10 [4909 ] Sep 8 19:51:12.552 EDT: NAT*: s=192.168.1.10->192.168.19.55, d=192.168.3.2 [491 1] Sep 8 19:51:12.564 EDT: NAT*: s=192.168.3.2, d=192.168.19.55->192.168.1.10 [491 1]
This particular trace follows a simple series of PING packets.
The interior device 192.168.1.10
sends ICMP PING packets to the external destination 192.168.3.2
. The router rewrites the
internal address as 192.168.19.55 ...
Get Cisco IOS Cookbook, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.