topic NAT pool counters in Network Security

NAT pool counters

rmedvedev — Mon, 11 Mar 2019 21:00:48 GMT

I wonder if there any way to track dynamic nat pool usage on ASA? I did not find any counters or snmp oid to use.

It's not very convenient to count lines in the cli.

NAT pool counters

varrao — Wed, 20 Jul 2011 02:19:32 GMT

Hi,

AFAIK there is no counter on the ASA to check the dynamic nat pool usage.

-Varun

NAT pool counters

k.mattson — Wed, 17 Aug 2011 22:47:47 GMT

From the "show snmp-server oidlist" command you will see some entries that look like this:

1.3.6.1.2.1.123.1.4.1.2. natAddrMapName

1.3.6.1.2.1.123.1.4.1.10. natAddrMapGlobalAddrType

1.3.6.1.2.1.123.1.4.1.11. natAddrMapGlobalAddrFrom

1.3.6.1.2.1.123.1.4.1.12. natAddrMapGlobalAddrTo

1.3.6.1.2.1.123.1.4.1.13. natAddrMapGlobalPortFrom

1.3.6.1.2.1.123.1.4.1.14. natAddrMapGlobalPortTo

1.3.6.1.2.1.123.1.4.1.15. natAddrMapProtocol

1.3.6.1.2.1.123.1.4.1.19. natAddrMapAddrUsed

Specifically the .1.3.6.1.2.1.123.1.4.1.19. group will tell you amount used out of the pool. Our pools start with .1.3.6.1.2.1.123.1.4.1.19.8.1 and run through .1.3.6.1.2.1.123.1.4.1.19.8.23 currently.

When I compare the numbers to "show nat pool" they jive pretty well up through 21. 22 and 23 don't seem to be a match.

If you use a tool like getif you should be able to see the results of a walk and select those values for experimental graphing.

One gotcha will be that the used number is just that, how many IPs in the pool have been used. Our pools are not identically sized, so we have to take that into account when determining how close we are to being all used up.

Hope this helps,

Ken

NAT pool counters

k.mattson — Thu, 18 Aug 2011 23:19:17 GMT

I also have a work in progress monitoring with MRTG here:

http://mrtg.creighton.edu/NatPool/creighton-fw1.creighton.edu_natpool.html

NAT pool counters

rmedvedev — Fri, 19 Aug 2011 06:43:38 GMT

Thank you fot the help Ken, but i have asa software version 8.2.2 and it does not have these oids.

What version do you have?

NAT pool counters

k.mattson — Fri, 19 Aug 2011 19:17:01 GMT

We recently moved to 8.4.2. I think that the new oids and "sh nat pool" command were intruduced in 8.3.

Up until our upgrade we were out of luck. Beware the upgrade is a significant change so read the 8.3 documents very carefully.

Thanks Ken.

Cathal Mooney — Fri, 24 Feb 2017 18:38:37 GMT

Thanks Ken.

This MIB is supported by our ASA5555 on 9.2(2)4.

Unfortunately there is no correlation between the numbers reported in NAT-MIB::natAddrMapAddrUsed and those returns in "show nat pools" on the CLI.

I may try to open a TAC case for an explaination but I'm guessing Cisco SNMP support on this is "best effort." If I get anything meaningful back I will post here.

Cathal.