| 26.3. NAT diagnostics and statistics | ||
|---|---|---|
 | Chapter 26. NAT - Network Address Translation |  |
| 26.3. NAT diagnostics and statistics | ||
|---|---|---|
| | Chapter 26. NAT - Network Address Translation | |
To display the diagnostics of the NAT resource the following commands are used:
Shows diagnostic information, such as the state of the
resource, the current number of translations present into NAT
table, the maximum number of translations reached from start-up
into the NAT table and the maximum number of translations present
into the table (this information indicates the
dimtable parameter).
[18:06:40] ABILIS_CPX:d d natRES:Nat ----------------------------------------------------------------------- Network_Address_Translator STATE:READY -----------|--- CUR ---|-- PEAK ---|--- MAX ---| LINKS | 45| 285| 5000| LINKS% | 1%| 6%| | ------------------------------------------------
This command can help to understand what is happening, in case of troubles:
[18:06:40] ABILIS_CPX:d s natRES:Nat ----------------------------------------------------------------------- Network_Address_Translator --- Cleared 25 days 08:50:44 ago, on 03/08/2017 at 07:25:50 ------------ REQ:1373022674 SUCCESS:253343611 IGNORED:1119596154 OVERFLOW:0 TCP-RST:88376 ERROR:0 FTP-OVR:0 DNS-OVR:0 SNMP-MF:0 FTP-BCT:0 DNS-EF:0 PPTP-MT:0 ------------------------------------------------------------------------ -----------|---INSIDE--|--OUTSIDE--|----VPN----|----DMZ----| BLOCKED-MIL| 0| 0| 0| 0| ------------------------------------------------------------------------ ICMP-ERR | 0| 0| 0| 0| TCP-ERR | 0| 0| 0| 0| UDP-ERR | 0| 0| 0| 0| ------------------------------------------------------------------------ ICMP-SRC | 183900| 6| 0| 0| ICMP-DST | 34| 335147| 0| 0| TCP-SRC | 70718827| 4403650| 0| 0| TCP-DST | 5813793| 96884983| 0| 0| UDP-SRC | 30573560| 0| 0| 0| UDP-DST | 0| 44428585| 0| 0| GRE-SRC | 0| 0| 0| 0| GRE-DST | 0| 0| 0| 0| OTHERS-SRC | 1126| 0| 0| 0| OTHERS-DST | 0| 0| 0| 0| ------------------------------------------------------------------------ ONATDISCARD| 0| 25| 0| 0| ------------------------------------------------------------------------ FRAG-ID:0 FRAG-POINTER:0 FRAG-UNRESOLVED:2361 FRAG-HEADER-FOUND:2378 ------------------------------------------------------------------------
With reference to the shown interval of time («Cleared 25 days 08:50:44 ago») these counters show the number of:
REQ | All NAT requests. |
SUCCESS | Successful requests. |
IGNORED | Ignored request because a match was not found. |
OVERFLOW | Unsuccessful requests because of table overflow. |
TCP-RST | TCP resets. |
ERROR | Unsuccessful requests because of a generic error. |
FTP-OVR | FTP buffer overflow. |
DNS-OVR | DNS buffer overflow. |
SNMP-MF | SNMP missing field during ALG mode |
FTP-BCT | FTP error when trying to add a FTP translation into dynamic table. |
DNS-EF | DNS error field during ALG mode. |
PPTP-MT | PPTP missing translation during ALG mode. |
BLOCKED-MIL | Unsuccessful
INSIDE/OUTSIDE/VPN/DMZ
requests due to filter blocking. |
ICMP-ERR | ICMP unsuccessful requests because of wrong checksum. |
TCP-ERR | TCP unsuccessful requests because of wrong checksum. |
UDP-ERR | UDP unsuccessful requests because of wrong checksum. |
ICMP-SRC | INSIDE/OUTSIDE/VPN/DMZ
source field translations for ICMP packets. |
ICMP-DST | INSIDE/OUTSIDE/VPN/DMZ
destination field translations for ICMP packets. |
TCP-SRC | INSIDE/OUTSIDE/VPN/DMZ
source field translations for TCP packets. |
TCP-DST | INSIDE/OUTSIDE/VPN/DMZ
destination field translations for TCP packets. |
UDP-SRC | INSIDE/OUTSIDE/VPN/DMZ
source field translations for UDP packets. |
UDP-DST | INSIDE/OUTSIDE/VPN/DMZ
destination field translations for UDP packets. |
GRE-SRC | INSIDE/OUTSIDE/VPN/DMZ
source field translations for GRE packets. |
GRE-DST | INSIDE/OUTSIDE/VPN/DMZ
destination field translations for GRE packets. |
OTHERS-SRC | INSIDE/OUTSIDE/VPN/DMZ
source field translations for remaining protocols. |
OTHERS-DST | INSIDE/OUTSIDE/VPN/DMZ
destination field translations for remaining protocols. |
ONATDISCARD | INSIDE/OUTSIDE/VPN/DMZ
field translations for ONAT filter discarded packets. |
FRAG-ID | Fragment ID link count. |
FRAG-POINTER | Fragment PTR link count. |
FRAG-UNRESOLVED | Unresolved fragment count. |
FRAG-HEADER-FOUND | Found header fragment count. |
![[Caution]](../images/caution.png) | Caution |
|---|---|
To view these commands you need to have administrator or super user rights. |
Type the following command to view allowed ones:
[00:07:36] ABILIS_CPX:debug res:nat lsn:0
RES:Nat -----------------------------------------------------------------------
Network_Address_Translator
BufferLength:64512 Date/Time:28/08/2017 16:13:45 TraceTime:310240481
Usage:
LSN:0 - This help.
LSN:1 - Obsolete: use D NAT MAPS instead.
LSN:2 - Display statistics and information.
LSN:3 CMD:DISPLAY - Display current NAT trace.
LSN:3 CMD:ACT[,param,...] - Activate trace.
Parameters:
No param - Trace all packets unconditionally.
CHK - Trace packets with wrong checksum.
TCPRST - Trace packets when NAT originates a TCP reset.
ERR - Trace packets that cause an error.
NOTLN - Trace packets except TELNET packets.
<IP add> - Trace packets only to/from these addresses (up to 4).
LSN:3 CMD:START - Start trace.
LSN:3 CMD:STOP - Stop trace.
LSN:3 CMD:INACT - Deactivate trace.
LSN:4 - Display headers of last 10 packets with checksum error.
LSN:4 CMD:EXT - Display completely last 10 packets with checksum error.
LSN:4 CMD:CLR - Clear checksum failures history.
LSN:5 - Display summary of links indexed by INAT and ADD.
LSN:5 CMD:EXT - Display links indexed by INAT and ADD.
LSN:6 CMD:CLR - Reset "Links Peak" diagnostic.
LSN:7 - Display active and blocked links "per IP".
LSN:7 CDM:EXT - Display active and blocked links "per IP", detailed.
LSN:8 - Display configuration table currently loaded.
LSN:9 - Display virtual links table.
LSN:10 - Display dynamic links table.
LSN:11 - Display TCP links with SYN/FIN flags.
LSN:12 - Display last 100 UPNP commands.
LSN:12 CMD:EXT - Display last 100 UPNP commands, detailed.
LSN:12 CMD:CLR - Clear UPNP commands history.
LSN:13 - Display header of last 20 packets with "ONAT discard".
LSN:13 CMD:CLR - Clear "ONAT discard" history.
LSN:14 - View optimized loop-back table.
LSN:20 CMD:ALL - Enable checksum verify for ALL TCP and UDP packets.
LSN:20 CMD:DFT - Restore checksum verify for TCP SYN, FIN, RST only.
To view the currents NAT sessions type:
[00:10:18] ABILIS_CPX:d nat maps
Number of records in standard table: 21
S A TYPE SRC-ADDRESS SP/ID DST-ADDRESS DP/ID ALS-ADDRESS ALIAS TM
-------------------------------------------------------------------------------
IOS UDP 192.168.030.002 11826 086.101.152.080 26211 192.168.001.100 9060 180
IOS UDP 192.168.030.002 11826 080.230.085.012 30615 192.168.001.100 9061 54
IOS UDP 192.168.030.002 11826 084.097.119.138 41956 192.168.001.100 9247 93
IOS UDP 192.168.030.002 11826 200.117.084.037 45252 192.168.001.100 9063 180
IOS UDP 192.168.030.002 11826 077.083.166.003 34588 192.168.001.100 9064 180
IOS UDP 192.168.030.002 11826 151.021.081.198 32605 192.168.001.100 9068 164
IOS TCP 192.168.030.002 2220 095.076.135.237 18586 192.168.001.100 9109 360
IOS UDP 192.168.030.002 11826 077.030.154.190 41899 192.168.001.100 9206 58
IOS UDP 192.168.030.002 11826 095.250.024.242 34375 192.168.001.100 9250 104
IOS UDP 192.168.030.002 11826 079.024.059.147 31351 192.168.001.100 9251 105
IOS UDP 192.168.030.002 11826 193.198.056.247 45682 192.168.001.100 9115 16
IOS TCP 192.168.030.002 2254 064.012.028.207 443 192.168.001.100 9116 352
IOS UDP 192.168.030.002 11826 095.076.135.237 18586 192.168.001.100 9258 147
IOS UDP 192.168.030.002 11826 151.048.102.187 45873 192.168.001.100 9093 18
IOS TCP 192.168.030.002 2287 205.188.001.209 443 192.168.001.100 9123 144
IOS TCP 192.168.030.002 2296 064.012.030.056 443 192.168.001.100 9124 223
IOS UDP 192.168.030.001 5060 083.211.227.015 5060 192.168.001.100 9100 110
IOS UDP 192.168.030.002 11826 217.164.063.250 36112 192.168.001.100 9127 149
IOS TCP 192.168.030.002 2200 064.004.061.123 1863 192.168.001.100 9104 350
IOS UDP 192.168.030.002 11826 093.146.163.169 31586 192.168.001.100 9130 103
IOS TCP 192.168.030.002 2366 080.230.085.012 30615 192.168.001.100 9217 355Meaning of parameters:
S (SIDE)It's composed by two letters. The first shows the input side
and the second the translation side (I :
INSIDE, O: OUTSIDE, V: VPN,
D: DMZ).
AIt shows if the translation must be applied to the suorce
address or to the destination one(S: SOURCE,
D: DESTINATION).
TYPEIt shows the packet's protocol. The translation is applied only if TYPE matches with the protocol of the packets to analyse (ICMP, UDP, DNS, SNTP, SNMP, TCP, FTPc, FTPd, FRAG, PPTc, PPTd).
SRC-ADDRESSIt shows the applied filter on the source address. If the received packet source address doesn't match with SRC-ADDRESS, the translation isn't applied.
SP/IDIf TYPE is FRAG, PPT or ICMP, it shows the packet ID used to verify if the translation matches. If TYPE is TCP or UDP, it shows the packet source port.
DST-ADDRESSIt shows the applied filter on the destination address. If the received packet destination address doesn't match with DST-ADDRESS, the translation isn't applied.
DP/IDIf TYPE is FRAG, PPT or ICMP, it shows the packet ID used to verify if the translation matches. If TYPE is TCP or UDP, it shows the packet destination port.
ALS-ADDRESSIf TYPE, SRC-ADDRESS, SP/ID, DST-ADDRESS, DP/ID, ALS-ADDRESS match, it shows the new IP address which will be assigned to the one in the packet. If A:S, the source address is replaced with ALS-ADDRESS. if A:D, the destination address is replaced with ALS-ADDRESS.
ALIASIf TYPE, SRC-ADDRESS, SP/ID, DST-ADDRESS, DP/ID, ALS-ADDRESS match, it shows the new DP/ID which will be assigned to the one in the packet. If A:S, the current SP/ID is replaced with ALIAS. if A:D, the DP/ID is replaced with ALIAS.
TMIt's the translation lifetime. When TM reaches 0, the translation is deleted. Each time the translation is matched, the TM is initialized to a specific value depending of NAT resource configuration.
| |  | |
| 26.2. NAT Aliases table |  | 26.4. Examples of NAT configuration |