topic How to check hit counts on Identity NAT in Network Security

How to check hit counts on Identity NAT

mahesh18 — Tue, 12 Mar 2019 04:14:29 GMT

Hi Everyone,

I have identity NAT config like below

static(inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

when i do sh nat how can i check hit counts for above rule?

ASA version is 8.2

Regards

Mahesh

Mahesh,"show xlate" (and

Marvin Rhoads — Sat, 24 May 2014 16:46:25 GMT

Mahesh,

"show xlate" (and optionally use various keywords such as "count" or pipe output to include only desired addresses) should do the trick for you. i.e.,

show xlate count

show xlate | i 10.

Hi Marvin,sh xlate

mahesh18 — Sat, 24 May 2014 17:22:15 GMT

Hi Marvin,

sh xlate count

shows 2 used and 2 used most

does this mean that only 2 NAT rules are used ?

Also i did sh nat

match ip inside 10.0.0.0 255.0.0.0 outside any
static translation to 10.0.0.0
translate_hits = 0, untranslate_hits = 16648

Need to confirm if this is Identity NAT hits?

Regards

MAhesh

If you just use "show xlate"

Marvin Rhoads — Sat, 24 May 2014 23:02:03 GMT

If you just use "show xlate" without the count keyword it will show you exactly which NAT rules its talking about. That command gives you the active xlate slots currently in use.

The "show nat" is more of a cumulative "hit count". If you add the "detail" command it will similarly show you more detail about the hits.

Identity NAT is similar to NAT exemption or no NAT n that an address is translated to itself. The example you show the output of above is not identity NAT since the 10.0.0.0/8 network is being translated to the ASA outside interface.

Many thanks Marvin

mahesh18 — Sun, 25 May 2014 03:28:01 GMT

Many thanks Marvin