topic Show NAT tranlations on ASA in Network Security

Show NAT tranlations on ASA

Sean Graham — Tue, 12 Mar 2019 05:59:13 GMT

I want to be able to see the actual NAT translations on my 5545 ASA. Basically, I need the equivalent of "show ip nat translations" that a router would have. I opened a case with TAC and they couldn't help me. It seems like a basic trouble shooting command to get a table of translations.

Show xlate, show nat, show conn, and show local-host conn doesn't seem to get me what i'm after.

Thanks.

What are you looking for

Karsten Iwen — Fri, 22 May 2015 21:47:17 GMT

What are you looking for exactly if "show xlate" is not what you need?

Although the formatting is different, at least for dynamic source-nat all the information is available. Ok, if you work much with destination-nat, then the ASA-output is not as comfortable as the router-output ...

I want to see something like

Sean Graham — Wed, 27 May 2015 19:40:06 GMT

I want to see something like this:

Router#show ip nat translations

Pro Inside global        Inside local       Outside local      Outside global
udp 171.69.233.209:1220  192.168.1.95:1220  171.69.2.132:53    171.69.2.132:53
tcp 171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23    171.69.1.220:23
tcp 171.69.233.209:1067  192.168.1.95:1067  171.69.1.161:23    171.69.1.161:23

I have an inside subnet being statically NAT'd to a NAT pool. It doesn't seem like it should be too hard to find out what INSIDE address is being translated to on the OUTSIDE.

Show xlate static gives me a bunch of subnets, nothing at all what i'm looking for. I see the PAT translations in show xlate, but that doesn't help me.

Thanks.

What do you need the private

Stefan Menning — Thu, 28 May 2015 07:16:40 GMT

What do you need the private-public ip mapping for? If you need this Information continiously, you could have the asa send it to a syslog Server:

logging trap warnings
logging host inside ip-address
logging message 604103 level warnings
logging message 604104 level warnings
logging message 302015 level warnings
logging message 302014 level warnings
logging message 302013 level warnings
logging message 302019 level warnings
logging message 302018 level warnings
logging message 302017 level warnings
logging message 302016 level warnings
logging message 302021 level warnings
logging message 302020 level warnings

I want to see it for

Sean Graham — Thu, 28 May 2015 13:19:07 GMT

I want to see it for troubleshooting purposes. (FYI, the ASA is not our external firewall.) If I see 192.168.20.45 going out our external FW, I want to be able to tell whose internal address that is so I can know what user i'm dealing with.

I'm guessing this isn't going to happen without debugging or looking at logs. I'm just surprised this isn't something Cisco has implemented as a command like with the routers.

If the translation is still

Stefan Menning — Thu, 28 May 2015 14:34:30 GMT

If the translation is still "active" in the first ASA, you should be able to see it with

show xlate | include <external-ip-address> and thus determine the internal ip address

You might try show xlate,

andre.ortega — Thu, 28 May 2015 20:40:26 GMT

You might try show xlate, that could be completed with "global" or "local" statement.

Example:

show xlate local 10.10.8.74
1263 in use, 2393 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net

UDP PAT from inside:10.10.8.74/64235 to outside:201.0.207.89/64235 flags ri idle 0:00:32 timeout 0:00:30
TCP PAT from inside:10.10.8.74/10936 to outside:201.0.207.89/10936 flags ri idle 0:00:41 timeout 0:00:30
UDP PAT from inside:10.10.8.74/64228 to outside:201.0.207.89/64228 flags ri idle 0:00:42 timeout 0:00:30
UDP PAT from inside:10.10.8.74/64227 to outside:201.0.207.89/64227 flags ri idle 0:00:43 timeout 0:00:30

That doesn't return anything.

Sean Graham — Fri, 29 May 2015 14:54:08 GMT

That doesn't return anything. It's blank.

ASA# show xlate | inc 172.31.62.28
ASA#

Here's an example of how the show xlate looks:

NAT from NewExternal:172.31.60.0/23 to NewExternal:172.31.62.1, 172.31.62.2/31,
172.31.62.4/30, 172.31.62.8/29, 172.31.62.16/28,
172.31.62.32/27, 172.31.62.64/26, 172.31.62.128/25,
172.31.63.0/25, 172.31.63.128/26, 172.31.63.192/27,
172.31.63.224/28, 172.31.63.240/29, 172.31.63.248/30,
172.31.63.252/31, 172.31.63.254
flags sTN idle 0:00:00 timeout 0:00:00
NAT from NewExternal:1.1.2.1, 1.1.2.2/31, 1.1.2.4/30,
1.1.2.8/29, 1.1.2.16/28, 1.1.2.32/27,
1.1.2.64/26, 1.1.2.128/25, 1.1.3.0/24,
1.1.4.0/22, 1.1.8.0/21, 1.1.16.0/20,
1.1.32.0/19, 1.1.64.0/18, 1.1.128.0/17,
1.2.0.0/15, 1.4.0.0/14, 1.8.0.0/13,
1.16.0.0/12, 1.32.0.0/11, 1.64.0.0/10,
<--- More --->

Re: What are you looking for

Donato Fabrzio — Thu, 09 Nov 2017 15:43:13 GMT

You can try with:
>show conn long
It display also the ip translated like the old show xlate version command (pre 8.3)

Re: Show NAT tranlations on ASA

smrh13631 — Wed, 15 Nov 2017 00:07:07 GMT

i think the best command is the below one

FW5545# sh nat detail | include Destination