topic Re: NAT hit count question in Network Security

NAT hit count question

matthewatt — Tue, 24 Mar 2020 19:26:18 GMT

Is the output of the "show nat" command, which shows the number of thits on NAT rules, a reliable counter in the same way that access-list counters are, meaning unless cleared or if the firewall is rebooted, can I count on these hit counts as being an accurate portrayal of what is actually being used? trying to clean up an old firewall with a lot of NAT rules, many show no hit counts since the last reboot.

Re: NAT hit count question

balaji.bandi — Tue, 24 Mar 2020 20:12:27 GMT

For best approach here, if the count not increasing, disable the NAT rule, before doing that check from command level also show nat detail and show xlate count.

Re: NAT hit count question

Cristian Matei — Wed, 25 Mar 2020 09:05:06 GMT

Hi,

Unless you have a code which has some bugs related to the "hit" counters, each new flow which matches a NAT entry, upon which a new session is created through the device, is gonna increase the "hit" value by 1. So yes, you can use the "hit" counters as a reference to which NAT statements are actively matched by traffic and which do not. If you have a NAT statement for which you don't see hits, try simulating traffic via packet-tracer, matching that NAT statement, you will see the "hit" counter increasing. Use "clear nat counters" first, to start from zero.

Regards,

Cristian Matei.