|
If you need to use a trace on NAT operation, use can use the
debug ip nat command to display a line of output for each packet that gets translated. The
screen output shown in the figure is an example of a debug of address translation
inside to outside.
You can decode the above debug output by using the following key points:
-
The asterisk next to
NAT indicates that the translation is occurring in the fast
path. The first packet in a conversation will always go through
the slow path (be process switched). The remaining packets will
go through the fast path if a cache entry exists.
-
s = 10.1.1.1 is the
source address.
-
d = 172.16.2.2 is
the destination address.
-
10.1.1.1 ->
192.168.2.1 indicates that the address was translated.
-
The value in
brackets is the IP identification number. This information may
be useful for debugging because it enables you to correlate with
other packet traces from sniffers, for example. If NAT is
properly configured but translations are not occurring, clear
the NAT translations (described in the next section) and check
to see if the translations occur. Also if translations are not
occurring, check that an access-list was created if doing
dynamic addressing, check that the destination list or source
list command was applied, and check if NAT was applied to the
interfaces.
|