05-22-2015 01:59 PM - edited 03-11-2019 10:59 PM
I want to be able to see the actual NAT translations on my 5545 ASA. Basically, I need the equivalent of "show ip nat translations" that a router would have. I opened a case with TAC and they couldn't help me. It seems like a basic trouble shooting command to get a table of translations.
Show xlate, show nat, show conn, and show local-host conn doesn't seem to get me what i'm after.
Thanks.
05-22-2015 02:47 PM
What are you looking for exactly if "show xlate" is not what you need?
Although the formatting is different, at least for dynamic source-nat all the information is available. Ok, if you work much with destination-nat, then the ASA-output is not as comfortable as the router-output ...
05-27-2015 12:40 PM
I want to see something like this:
Router#show ip nat translations Pro Inside global Inside local Outside local Outside global udp 171.69.233.209:1220 192.168.1.95:1220 171.69.2.132:53 171.69.2.132:53 tcp 171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23 171.69.1.220:23 tcp 171.69.233.209:1067 192.168.1.95:1067 171.69.1.161:23 171.69.1.161:23
I have an inside subnet being statically NAT'd to a NAT pool. It doesn't seem like it should be too hard to find out what INSIDE address is being translated to on the OUTSIDE.
Show xlate static gives me a bunch of subnets, nothing at all what i'm looking for. I see the PAT translations in show xlate, but that doesn't help me.
Thanks.
05-28-2015 12:16 AM
What do you need the private-public ip mapping for? If you need this Information continiously, you could have the asa send it to a syslog Server:
logging trap warnings
logging host inside ip-address
logging message 604103 level warnings
logging message 604104 level warnings
logging message 302015 level warnings
logging message 302014 level warnings
logging message 302013 level warnings
logging message 302019 level warnings
logging message 302018 level warnings
logging message 302017 level warnings
logging message 302016 level warnings
logging message 302021 level warnings
logging message 302020 level warnings
05-28-2015 06:19 AM
I want to see it for troubleshooting purposes. (FYI, the ASA is not our external firewall.) If I see 192.168.20.45 going out our external FW, I want to be able to tell whose internal address that is so I can know what user i'm dealing with.
I'm guessing this isn't going to happen without debugging or looking at logs. I'm just surprised this isn't something Cisco has implemented as a command like with the routers.
05-28-2015 07:34 AM
If the translation is still "active" in the first ASA, you should be able to see it with
show xlate | include <external-ip-address> and thus determine the internal ip address
05-29-2015 07:54 AM
That doesn't return anything. It's blank.
ASA# show xlate | inc 172.31.62.28
ASA#
Here's an example of how the show xlate looks:
NAT from NewExternal:172.31.60.0/23 to NewExternal:172.31.62.1, 172.31.62.2/31,
172.31.62.4/30, 172.31.62.8/29, 172.31.62.16/28,
172.31.62.32/27, 172.31.62.64/26, 172.31.62.128/25,
172.31.63.0/25, 172.31.63.128/26, 172.31.63.192/27,
172.31.63.224/28, 172.31.63.240/29, 172.31.63.248/30,
172.31.63.252/31, 172.31.63.254
flags sTN idle 0:00:00 timeout 0:00:00
NAT from NewExternal:1.1.2.1, 1.1.2.2/31, 1.1.2.4/30,
1.1.2.8/29, 1.1.2.16/28, 1.1.2.32/27,
1.1.2.64/26, 1.1.2.128/25, 1.1.3.0/24,
1.1.4.0/22, 1.1.8.0/21, 1.1.16.0/20,
1.1.32.0/19, 1.1.64.0/18, 1.1.128.0/17,
1.2.0.0/15, 1.4.0.0/14, 1.8.0.0/13,
1.16.0.0/12, 1.32.0.0/11, 1.64.0.0/10,
<--- More --->
05-28-2015 01:40 PM
You might try show xlate, that could be completed with "global" or "local" statement.
Example:
show xlate local 10.10.8.74
1263 in use, 2393 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
UDP PAT from inside:10.10.8.74/64235 to outside:201.0.207.89/64235 flags ri idle 0:00:32 timeout 0:00:30
TCP PAT from inside:10.10.8.74/10936 to outside:201.0.207.89/10936 flags ri idle 0:00:41 timeout 0:00:30
UDP PAT from inside:10.10.8.74/64228 to outside:201.0.207.89/64228 flags ri idle 0:00:42 timeout 0:00:30
UDP PAT from inside:10.10.8.74/64227 to outside:201.0.207.89/64227 flags ri idle 0:00:43 timeout 0:00:30
11-09-2017 07:43 AM
11-14-2017 04:07 PM
i think the best command is the below one
FW5545# sh nat detail | include Destination
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide