NAT hit count question

matthewatt · ‎03-24-2020

Is the output of the "show nat" command, which shows the number of thits on NAT rules, a reliable counter in the same way that access-list counters are, meaning unless cleared or if the firewall is rebooted, can I count on these hit counts as being an accurate portrayal of what is actually being used? trying to clean up an old firewall with a lot of NAT rules, many show no hit counts since the last reboot.

balaji.bandi · ‎03-24-2020

For best approach here, if the count not increasing, disable the NAT rule, before doing that check from command level also show nat detail and show xlate count.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Cristian Matei · ‎03-25-2020

Hi,

Unless you have a code which has some bugs related to the "hit" counters, each new flow which matches a NAT entry, upon which a new session is created through the device, is gonna increase the "hit" value by 1. So yes, you can use the "hit" counters as a reference to which NAT statements are actively matched by traffic and which do not. If you have a NAT statement for which you don't see hits, try simulating traffic via packet-tracer, matching that NAT statement, you will see the "hit" counter increasing. Use "clear nat counters" first, to start from zero.

Regards,

Cristian Matei.