cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
119
Views
0
Helpful
2
Replies
Highlighted
Beginner

NAT hit count question

Is the output of the "show nat" command, which shows the number of thits on NAT rules, a reliable counter in the same way that access-list counters are, meaning unless cleared or if the firewall is rebooted, can I count on these hit counts as being an accurate portrayal of what is actually being used? trying to clean up an old firewall with a lot of NAT rules, many show no hit counts since the last reboot.

2 REPLIES 2
VIP Advisor

Re: NAT hit count question

For best approach here, if the count not increasing, disable the NAT rule, before doing that check from command level also show nat detail and show xlate count.

 

BB
*** Rate All Helpful Responses ***
Highlighted
Rising star

Re: NAT hit count question

Hi,

 

    Unless you have a code which has some bugs related to the "hit" counters, each new flow which matches a NAT entry, upon which a new session is created through the device, is gonna increase the "hit" value by 1. So yes, you can use the "hit" counters as a reference to which NAT statements are actively matched by traffic and which do not. If you have a NAT statement for which you don't see hits, try simulating traffic via packet-tracer, matching that NAT statement, you will see the "hit" counter increasing. Use "clear nat counters" first, to start from zero.

 

Regards,

Cristian Matei.