Debugging NAT
Problem
You want to debug a NAT problem.
Solution
Cisco routers include a simple but useful debug facility for NAT. The basic form of the command is debug ip nat:
Router#debug ip natYou can also add the detailed keyword to this command to get more information on each NAT event:
Router#debug ip nat detailedIt is often useful to use an access-list with the debug command. You can do this by simply specifying the number of the access-list. This will allow you to just look at NAT events for particular IP addresses that are permitted by the access-list:
Router#debug ip nat15
You can also combine an access-list with the detailed keyword for more focused debugging:
Router#debug ip nat15detailed
Discussion
The following shows some typical log entries:
Router#terminal monitorRouter#debug ip natSep 8 19:51:08.396 EDT: NAT: s=192.168.3.1->192.168.19.1, d=192.168.3.2 [0] Sep 8 19:51:11.560 EDT: NAT*: s=192.168.1.10->192.168.19.55, d=192.168.3.2 [490 9] Sep 8 19:51:11.568 EDT: NAT*: s=192.168.3.2, d=192.168.19.55->192.168.1.10 [490 9] Sep 8 19:51:11.572 EDT: NAT: s=192.168.3.2, d=192.168.19.55->192.168.1.10 [4909 ] Sep 8 19:51:12.552 EDT: NAT*: s=192.168.1.10->192.168.19.55, d=192.168.3.2 [491 1] Sep 8 19:51:12.564 EDT: NAT*: s=192.168.3.2, d=192.168.19.55->192.168.1.10 [491 1]
This particular trace follows a simple series of PING packets.
The interior device 192.168.1.10
sends ICMP PING packets to the external destination 192.168.3.2. The router rewrites the
internal address as 192.168.19.55 ...