21.3. NAT diagnostics and statistics

21.3.1. NAT diagnostics

To display the diagnostics of the NAT resource the following commands are used:

d d nat / d de nat

Shows diagnostic information, such as the state of the resource, the current number of translations present into NAT table, the maximum number of translations reached from start-up into the NAT table and the maximum number of translations present into the table (this information indicate the dimtable parameter).

[18:06:40] ABILIS_CPX:d d nat

RES:Nat -----------------------------------------------------------------------
       Network_Address_Translator                                              
       STATE:READY
       -----------|--- CUR ---|-- PEAK ---|--- MAX ---|
       LINKS      |          3|         43|       1000|
       LINKS%     |         0%|         4%|           |
       ------------------------------------------------

21.3.2. NAT statistics

To display the statistics of the NAT resource the following commands are used:

d s nat / d se nat

Shows statistic information, such as the number of processed ICMP/TCP/UDP/FTP/DNS/SNMP/SNTP packets, the number of processed FRAGMENT ID/FRAGMENT POINTER packets, etc..

[18:06:40] ABILIS_CPX:d s nat

RES:Nat -----------------------------------------------------------------------
       Network_Address_Translator                                              
       --- Cleared 11 days 14:06:31 ago, on 16/04/2015 at 19:42:48 ------------
       REQ:95760726          SUCCESS:203109        IGNORED:95557585  
       OVERFLOW:0            TCP-RST:40211397      ERROR:0         
       FTP-OVR:0             DNS-OVR:0             SNMP-MF:0
       FTP-BCT:0             DNS-EF:0              PPTP-MT:0
       ------------------------------------------------------------------------
       -----------|---INSIDE--|--OUTSIDE--|----VPN----|----DMZ----|
       BLOCKED-MIL|          0|          0|          0|          0|
       ------------------------------------------------------------------------
       ICMP-ERR   |          0|          0|          0|          0|
       TCP-ERR    |          0|          0|          0|          0|
       UDP-ERR    |          0|          0|          0|          0|
       ------------------------------------------------------------------------
       ICMP-SRC   |       2062|          0|          0|          0|
       ICMP-DST   |          0|        459|          0|          0|
       TCP-SRC    |          0|          0|          0|          0|
       TCP-DST    |          0|          0|          0|          0|
       UDP-SRC    |      93034|          0|          0|          0|
       UDP-DST    |          0|     107554|          0|          0|
       GRE-SRC    |          0|          0|          0|          0|
       GRE-DST    |          0|          0|          0|          0|
       OTHERS-SRC |          0|          0|          0|          0|
       OTHERS-DST |          0|          0|          0|          0|
       ------------------------------------------------------------------------
       ONATDISCARD|      31621|          0|          0|          0|
       ------------------------------------------------------------------------
       FRAG-ID:0                   FRAG-POINTER:0         
       FRAG-UNRESOLVED:0           FRAG-HEADER-FOUND:0         
       ------------------------------------------------------------------------

21.3.3. Debug of the NAT resource

[Caution]Caution

To view these commands you need to have administrator or super user rights.

Type the following command to view allowed ones:

[00:07:36] ABILIS_CPX:debug res:nat lsn:0

RES:Nat -----------------------------------------------------------------------
       Network_Address_Translator                                              
       BufferLength:1959   Date/Time:28/04/2015 09:50:23 TraceTime:330933760

Usage:
   LSN:0                        - This help (default).
   LSN:1                        - Debug unavailable: use D NAT MAPS instead.
   LSN:2                        - View statistics and information.
   LSN:3 CMD:DISPLAY            - Show current NAT trace (default).
   LSN:3 CMD:ACT[,param,...]    - Activate the trace.

     List of NAT activate parameters (for LSN:3 CMD:ACT).
       No parameters (default) - Trace all packets unconditionally.
       CHK      - Trace packets with wrong checksum.
       TCPRST   - Trace packets when NAT originates a TCP reset.
       ERR      - Trace packets that cause an error.
       NOTLN    - Trace packets ignore TELNET packets..
       <IP add> - Trace packets only to/from these addresses (up to 4).

   LSN:3 CMD:START  - Start the trace.
   LSN:3 CMD:STOP   - Stop the trace.
   LSN:3 CMD:INACT  - Deactivate the trace.
   LSN:4            - Display headers of last 10 packets with checksum error.
   LSN:4 CMD:EXT    - Display last 10 packets with checksum error.
   LSN:4 CMD:CLR    - Clear checksum failures history.
   LSN:5            - View links between recods on the dynamic table.
   LSN:6 CMD:CLR    - Initialize Peak diagnostic information.
   LSN:7            - View translation filter.
   LSN:7 CDM:EXT    - View translation filter with extended translation info.
   LSN:8            - View configured table.
   LSN:9            - View virtual table.
   LSN:10           - View dynamic table.
   LSN:11           - View dynamic table with TCP session status.
   LSN:12           - Display information of last 100 UPNP commands.
   LSN:12 CMD:EXT   - Display extended information of last 100 UPNP commands.
   LSN:12 CMD:CLR   - Clear UPNP command history.
   LSN:13           - Display information of last 20 packets with ONAT discard error.
   LSN:13 CMD:CLR   - Clear ONAT discard failures history.
   LSN:14           - View optimized loop-back table.

To view the current NAT sessions type:

[00:10:18] ABILIS_CPX:d nat maps

Number of records in standard table: 21

S A TYPE SRC-ADDRESS     SP/ID DST-ADDRESS     DP/ID ALS-ADDRESS     ALIAS  TM
-------------------------------------------------------------------------------
IOS UDP  192.168.030.002 11826 086.101.152.080 26211 192.168.001.100  9060  180
IOS UDP  192.168.030.002 11826 080.230.085.012 30615 192.168.001.100  9061   54
IOS UDP  192.168.030.002 11826 084.097.119.138 41956 192.168.001.100  9247   93
IOS UDP  192.168.030.002 11826 200.117.084.037 45252 192.168.001.100  9063  180
IOS UDP  192.168.030.002 11826 077.083.166.003 34588 192.168.001.100  9064  180
IOS UDP  192.168.030.002 11826 151.021.081.198 32605 192.168.001.100  9068  164
IOS TCP  192.168.030.002  2220 095.076.135.237 18586 192.168.001.100  9109  360
IOS UDP  192.168.030.002 11826 077.030.154.190 41899 192.168.001.100  9206   58
IOS UDP  192.168.030.002 11826 095.250.024.242 34375 192.168.001.100  9250  104
IOS UDP  192.168.030.002 11826 079.024.059.147 31351 192.168.001.100  9251  105
IOS UDP  192.168.030.002 11826 193.198.056.247 45682 192.168.001.100  9115   16
IOS TCP  192.168.030.002  2254 064.012.028.207   443 192.168.001.100  9116  352
IOS UDP  192.168.030.002 11826 095.076.135.237 18586 192.168.001.100  9258  147
IOS UDP  192.168.030.002 11826 151.048.102.187 45873 192.168.001.100  9093   18
IOS TCP  192.168.030.002  2287 205.188.001.209   443 192.168.001.100  9123  144
IOS TCP  192.168.030.002  2296 064.012.030.056   443 192.168.001.100  9124  223
IOS UDP  192.168.030.001  5060 083.211.227.015  5060 192.168.001.100  9100  110
IOS UDP  192.168.030.002 11826 217.164.063.250 36112 192.168.001.100  9127  149
IOS TCP  192.168.030.002  2200 064.004.061.123  1863 192.168.001.100  9104  350
IOS UDP  192.168.030.002 11826 093.146.163.169 31586 192.168.001.100  9130  103
IOS TCP  192.168.030.002  2366 080.230.085.012 30615 192.168.001.100  9217  355

Meaning of parameters:

S (SIDE)

it's composed by two letters. The first shows the input side and the second the translation side ( I : INSIDE, O: OUTSIDE, V: VPN, D: DMZ).

A

it shows if the translation must be applied to the suorce address or to the destination one(S: SOURCE, D: DESTINATION).

TYPE

it shows the packets protocol. The translation is applied only if TYPE matches with the protocol of the packets to analyse. (ICMP, UDP, DNS, SNTP, SNMP, TCP, FTPc, FTPd, FRAG, PPTc, PPTd).

SRC-ADDRESS

it shows the applied filter on the source address. If the received packet source address doesn't match with SRC-ADDRESS, the translation is not applied.

SP/ID

If TYPE is FRAG, PPT or ICMP, it shows the packet ID used to verify if the translation matches. If TYPE is TCP or UDP, it shows the packet source port.

DST-ADDRESS

it shows the applied filter on the destination address. If the received packet destination address doesn't match with DST-ADDRESS, the translation is not applied.

DP/ID

If TYPE is FRAG, PPT or ICMP, it shows the packet ID used to verify if the translation matches. If TYPE is TCP or UDP, it shows the packet destination port.

ALS-ADDRESS

if TYPE, SRC-ADDRESS, SP/ID, DST-ADDRESS, DP/ID, ALS-ADDRESS match, it shows the new ip address which will be assigned to the one in the packet. If A:S, the source address is replaced with ALS-ADDRESS. if A:D, the destination address is replaced with ALS-ADDRESS.

ALIAS

if TYPE, SRC-ADDRESS, SP/ID, DST-ADDRESS, DP/ID, ALS-ADDRESS match, it shows the new DP/ID which will be assigned to the one in the packet. If A:S, the current SP/ID is replaced with ALIAS. if A:D, the DP/ID is replaced with ALIAS.

TM

it's the translation lifetime. When TM reaches 0, the translation is deleted. Each time the translation is matched, the TM is initialized to a specific value depending of NAT resource configuration.