Use the debug ip nat command to verify the operation of the NAT feature by displaying information about every packet that is translated by the router. The debug ip nat detailed command generates a description of each packet considered for translation. This command also provides information about certain errors or exception conditions, such as the failure to allocate a global address. The debug ip nat detailed command generates more overhead than the debug ip nat command, but it can provide the detail that may be needed to troubleshoot the NAT problem. Always turn off debugging when finished.
Figure 1 shows a sample debug ip nat output. The output shows that the inside host (192.168.10.10) initiated traffic to the outside host (220.127.116.11) and the source address was translated to address 18.104.22.168.
When decoding the debug output, note what the following symbols and values indicate:
- * (asterisk) - The asterisk next to NAT indicates that the translation is occurring in the fast-switched path. The first packet in a conversation is always process-switched, which is slower. The remaining packets go through the fast-switched path if a cache entry exists.
- s= - This symbol refers to the source IP address.
- a.b.c.d--->w.x.y.z - This value indicates that source address a.b.c.d is translated to w.x.y.z.
- d= - This symbol refers to the destination IP address.
- [xxxx] - The value in brackets is the IP identification number. This information may be useful for debugging in that it enables correlation with other packet traces from protocol analyzers.
Note: Verify that the ACL referenced in the NAT command reference is permitting all of the necessary networks. In Figure 2, only 192.168.0.0/16 addresses are eligible to be translated. Packets from the inside network destined for the Internet with source addresses that are not explicitly permitted by ACL 1 are not translated by R2.