Confirm the use of PAT translation after NAT Pool exhausted (ASA 8.2(2))

Jouni Forss · ‎10-30-2012

Hi,

Time for me to ask a question.

The ASA in question has a pretty simple NAT configuration. The most critical interface regarding the customers connections uses a NAT Pool and also PAT translation. The configuration is the following (Only changed interface name)

global (destination) 1 10.100.18.1-10.100.23.254

global (destination) 1 10.100.16.35

nat (source) 1 0.0.0.0 0.0.0.0

Theres also some Static and Policy NAT configuration between the same interfaces mentioned.

What I would like to confirm is that is the PAT address being used after the NAT Pool is exhausted. More so I want to confirm from the ASA directly HAS the PAT translation been used since the ASA was last booted.

I presumed the "show nat" command would list the hitcount for the translations but from what I checked it only seemed to list information regarding the NAT Pool and not the PAT translation.

I did already check firewall logs from the last week an found no messages indicating the the PAT address would have been used (Cant see any translations beeing built or tore down with the above mentioned IP)

But I would still like to confirm this on the ASAs side too.

Or am I not seeing info for the PAT with the "show nat" command since its not been in any use?

I don't really use the "show nat" command at all so I'm not familiar on its use, even though I checked the command reference. I guess it more clearly shows to what kind of traffic certain translation apply to. The same way you see it on "packet-tracer" output.

- Jouni

Jennifer Halim · ‎10-30-2012

"show xlate" would show you the information if the PAT pool is being used.

you can also pipe it with that ip address:

show xlate | i 10.100.16.35

Jouni Forss · ‎10-30-2012

Hi,

I'm more interested in any statistics/history of the PAT translation usage.

I wan't to know if at any point in the past (since the ASA has been booted) the PAT translation of 10.100.16.35 has been used since the NAT Pool has been completely exhausted. I Tried to check this from the logs but would like to know if theres a way to check this from the ASA itself. The ASA in question has been up around 270 days so if the statistics can be pulled with some command there should be enough of them to give reliable information.

The NAT Pool itself is at a quite high usage at the moment (around 1100 when the actual pool is around 1500)

We are trying to check this since theres doubt if some connections have fallen on the PAT translations and caused problems with the applications used through this interface.

Also found the following command by browsing the CLI which should list any PAT translation active through the interface (If I understood correctly)

"show xlate detail interface destination state portmap" where "destination" is the name of the interface mentioned in the above configuration

- Jouni

Jouni Forss · ‎10-30-2012

To give you an example what I can find with the "show nat" command BUT can't find anything about the PAT

"show nat source destination" where "source" and "destination" are again interface names

I can find the following section

match ip source any destination any

dynamic translation to pool 1 (10.100.18.1 - 10.100.23.254)

translate_hits = 82172011, untranslate_hits = 8006667

Again above source/destination = interface names.

For some reason there is no mention of the PAT translation in the whole output

- Jouni

Jennifer Halim · ‎10-30-2012

It is weird indeed, it should have listed the PAT as well in "show nat" output.

Try: show asp table classify domain nat

Jouni Forss · ‎10-30-2012

Hi,

The output of that command seems to contain only Source and Destination IP addresses networks and no mention of the actual NAT/PAT IP addressses

There is no output after the section "Interface destination:"

I presume if there is anything to get from the output I will have to look at the "source" interface.

It ends with the following type of ouputs, which dont really say anything to me.

in id=0xb30ed8d8, priority=0, domain=nat, deny=false

hits=0, user_data=0xb2f17fd8, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

EDIT:

Or does some portion of that output perhaps refer to a certain translation configuration?

- Jouni

Jennifer Halim · ‎10-30-2012

Actually, try this command which should show you the utilization of all the pools:

show nat pool

Jouni Forss · ‎10-30-2012

Hi,

The ASA doesnt recognize the command.

Jennifer Halim · ‎10-31-2012

Apology, just double checking and it's not availabe on the version that you are running.

"show nat" should really show it, but seems like there might be bug with the version that you are running.

Can't seem to find any other command that will show the required output.

Jouni Forss · ‎11-01-2012

Hi,

I guess I could also check from the Failover unit if the output is the same.

The ASA in question is at the point where the next upgrade would require total rewrite of the NAT and ACL rules so don't know when the actual upgrade will be done.

Guess I will just trust the firewall logs to see if the PAT address gets used.

- Jouni

Jennifer Halim · ‎11-01-2012

What about trying to at least upgrading it to the latest version of 8.2(x), perhaps that would show the "show nat" output with the PAT address as well.

Apology i don't have an ASA free that i can test quickly for you.