NAT: Debugs

NAT Debugs

The most useful command that can be used to troubleshoot NAT is

debug ip packet [access-list | detail]

This debug command essentially shows all the packets that hit the access list for which this command is used. With a properly configured access list, it is often very easy to figure out what is happening to packets as they get routed through the router and where they are headed.

Another useful NAT debugging command is

debug ip nat

This command shows the translations being created on the router as well as packets that are being translated using the NAT translations.

So the two most important NAT debugs are

debug ip packet [access-list | detail]

debug ip nat [access-list | detail]

Example.

Configuration

interface Ethernet0

ip address 10.10.3.4 255.255.255.0

ip nat inside

interface Ethernet1

ip address 172.16.4.4 255.255.255.0

ip nat outside

ip nat pool letmeout 200.200.200.1 200.200.200.4 pre 24

ip nat inside source list 7 pool letmeout

ip route 172.16.6.0 255.255.255.0 172.16.4.6

access-list 7 permit 10.10.3.0 0.0.0.255

Debug Commands

# debug ip packet

# debug ip nat

Debug Outputs

The output shown below is from turning on the debug commands listed earlier.

IP: NAT enab = 1 trans = 0 flags = 80

The NAT debug output below shows a translation for 10.10.3.3 to 200.200.200.1

taking place for the traffic headed for the outside local/global address

172.16.6.6. The traffic as can be seen from the IP debugs is ICMPs.

NAT: s=10.10.3.3->200.200.200.1, d=172.16.6.6 [30]

IP: s=200.200.200.1 (Ethernet0), d=172.16.6.6 (Ethernet1), g=172.16.4.6, len 100, 

  forward ICMP type=8, code=0