Troubleshooting NAT
Cisco NAT enables you to do a lot, and the configurations are straightforward. If it does not work, you can spot a few common causes by asking the following questions:
Do the dynamic pools contain the correct range of addresses?
Is there any overlap between dynamic pools?
Is there any overlap between addresses used for static mapping and the addresses in the dynamic pools?
Do the access lists specify the correct addresses to be translated? Are any addresses left out? Are any addresses included that should not be included?
Are the correct inside and outside interfaces specified?
One of the most common problems with a new NAT configuration is not NAT itself, but routing. Remember that you are changing a source or destination address in a packet; after the translation, does the router know what to do with the new address?
Another problem can be timeouts. If a translated address is cached in some system after the dynamic entry has timed out of the NAT table, packets can be sent to the wrong address, or the destination may seem to have disappeared. Besides the ip nat translation timeout command already discussed, you can change several other default timeouts. Table 4-3 lists all the keywords you can use with the ip nat translation command and the default values of the timeout periods. You can change all the defaults within a range of 02,147,483,647 seconds.
Table 4-3 Dynamic NAT Table Timeout Values
ip nat translation |
Default Period (in Seconds) |
Description |
timeout |
86,400 (24 hours) |
Timeout for all non-port-specific dynamic translations |
dns-timeout |
60 |
Timeout for DNS connections |
finrst-timeout |
60 |
Timeout after TCP FIN or RST flags are seen (closing a TCP session) |
icmp-timeout |
60 |
Timeout for ICMP translations |
port-timeout tcp |
60 |
Timeout for TCP port translations |
port-timeout udp |
60 |
Timeout for UDP port translations |
syn-timeout |
60 |
Timeout after TCP SYN flag is seen, and no further session packets |
tcp-timeout |
86,400 (24 hours) |
Timeout for TCP translations (non-port-specific) |
udp-port |
300 (5 minutes) |
Timeout for UDP translations (non-port-specific) |
Theoretically, there is no limit on the number of mappings that the NAT table can hold. Practically, memory and CPU or the boundaries of the available addresses or ports place a limit on the number of entries. Each NAT mapping uses approximately 160 bytes of memory. In the rare case where the entries must be limited either for performance or policy reasons, you can use the ip nat translation max-entries command.
Another useful command for troubleshooting is show ip nat statistics, as demonstrated in Example 4-32. This command displays a summary of the NAT configuration, as well as counts of active translation types, hits to an existing mapping, misses (causing an attempt to create a mapping), and expired translations. For dynamic pools, the type of pool, the total available addresses, the number of allocated addresses, the number of failed allocations, and the number of translations using the pool (refcount) appear.
Example 4-32 show ip nat statistics Displays Many Useful Details for Analyzing and Troubleshooting Your NAT Configuration
StCroix#show ip nat statistics Total active translations: 3 (2 static, 1 dynamic; 3 extended) Outside interfaces: Serial0, Serial1.708, Serial1.709 Inside interfaces: Ethernet0, Ethernet1 Hits: 980 Misses: 43 Expired translations: 54 Dynamic mappings: -- Inside Source access-list 1 interface Serial0 refcount 0 StCroix#
Finally, you can manually clear dynamic NAT entries from the NAT table. This action can prove useful if you need to get rid of a particular offending entry without waiting for the timeout to expire, or if you need to clear the entire NAT table to reconfigure an address pool. Note that Cisco IOS Software does not allow you to change or delete an address pool while addresses from the pool are mapped in the NAT table. The clear ip nat translations command clears entries; you can specify a single entry by the global and local address or by TCP and UDP translations (including ports), or you can use an asterisk (*) to clear the entire table. Of course, only dynamic entries are cleared; the command does not remove static entries.