Verifying and Troubleshooting NAT Configurations.


Verifying NAT and NAT Overload:
It is important to verify NAT operation. There are several useful router commands to view and clear NAT translations. This topic explains how to verify NAT operation using tools available on Cisco routers.
One of the most useful commands when verifying NAT operation is the show ip nattranslations command. Before using the show commands to verify NAT, you must clear any dynamic translation entries that might still be present, because by default, dynamic address translations time out from the NAT translation table after a period of non-use.
Notice that the output of the show ip nat translations command displays the details of the two NAT assignments. Adding verbose to the command displays additional information about each translation, including how long ago the entry was created and used.
The command displays all static translations that have been configured as well as any dynamic translations that have been created by traffic. Each translation is identified by protocol as well as inside and outside local and global addresses.
The show ip nat statistics command displays information about the total number of active translations, NAT configuration parameters, how many addresses are in the pool, and how many have been allocated.
Alternatively, use the show run command and look for NAT, access command list, interface, or pool commands with the required values. Examine these carefully and correct any errors you discover.
By default, translation entries time out after 24 hours, unless the timers have been reconfigured with the ip nat translation timeouttimeout_ seconds command in global configuration mode.
Click the Cleared NAT button in the figure.
It is sometimes useful to clear the dynamic entries sooner than the default. This is especially true when testing the NAT configuration. To clear dynamic entries before the timeout has expired, use the clear ip nat translation global command.
Only the dynamic translations are cleared from the table. Static translations cannot be cleared from the translation table.

Troubleshooting NAT and NAT Overload Configuration:
When you have IP connectivity problems in a NAT environment, it is often difficult to determine the cause of the problem. The first step in solving your problem is to rule out NAT as the cause. Follow these steps to verify that NAT is operating as expected:
Step 1. Based on the configuration, clearly define what NAT is supposed to achieve. This may reveal a problem with the configuration.
Step 2. Verify that correct translations exist in the translation table using the show ip nat translations command.
Step 3. Use the clear and debug commands to verify that NAT is operating as expected. Check to see if dynamic entries are recreated after they are cleared.
Step 4. Review in detail what is happening to the packet, and verify that routers have the correct routing information to move the packet.
Use the debug ip nat command to verify the operation of the NAT feature by displaying information about every packet that is translated by the router. The debug ip nat detailed command generates a description of each packet considered for translation. This command also outputs information about certain errors or exception conditions, such as the failure to allocate a global address.
When decoding the debug output, note what the following symbols and values indicate:
* - The asterisk next to NAT indicates that the translation is occurring in the fast-switched path. The first packet in a conversation is always process-switched, which is slower. The remaining packets go through the fast-switched path if a cache entry exists.
s= - Refers to the source IP address.
a.b.c.d--->w.x.y.z - Indicates that source address a.b.c.d is translated to w.x.y.z.
d= - Refers to the destination IP address.
[xxxx] - The value in brackets is the IP identification number. This information may be useful for debugging in that it enables correlation with other packet traces from protocol analyzers.
You can view the following demonstrations about verifying and troubleshooting NAT at these sites:
Flash Animation Case Study: Can Ping Host, but Cannot Telnet: This is a seven-minute Flash animation on why a device can ping the host, but cannot telnet: http://www.cisco.com/warp/public/556/index.swf.
Flash Animation Case Study: Cannot Ping Beyond NAT: This is a ten-minute Flash animation on why a device cannot ping beyond NAT: http://www.cisco.com/warp/public/556/TS_NATcase2/index.swf.

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog