1.1.5 Verifying PAT configuration / 1.1.6 Troubleshooting NAT and PAT configuration

1.1.5 Verifying PAT configuration
Once NAT is configured, use the clear and show commands to verify that it is operating as expected.
By default, dynamic address translations will time out from the NAT translation table after a period of non-use. When port translation is not configured, translation entries time out after 24 hours, unless the timers are reconfigured with the ip nat translation timeouttimeout_ seconds command from global configuration mode. Clear the entries before the timeout by using one of the commands in Figure .
Translation information may be displayed by performing one of the tasks in EXEC mode .
Alternatively, use the show run command and look for NAT, access list, interface, or pool commands with the required values.

1.1.6 Troubleshooting NAT and PAT configuration
When IP connectivity problems in a NAT environment exist, it is often difficult to determine the cause of the problem. Many times NAT is mistakenly blamed, when in reality there is an underlying problem.
When trying to determine the cause of an IP connectivity problem, it helps to rule out NAT. Use the following steps to determine whether NAT is operating as expected:

1. Based on the configuration, clearly define what NAT is supposed to achieve.
2. Verify that correct translations exist in the translation table.
3. Verify the translation is occurring by using show and debug commands.
4. Review in detail what is happening to the packet and verify that routers have the correct routing information to move the packet along.

Use the debug ip nat command to verify the operation of the NAT feature by displaying information about every packet that is translated by the router. The debug ip natdetailed command generates a description of each packet considered for translation. This command also outputs information about certain errors or exception conditions, such as the failure to allocate a global address.
Figure shows a sample debug ip nat output. In this example, the first two lines of the debugging output show that a Domain Name System (DNS) request and reply were produced. The remaining lines show the debugging output of a Telnet connection from a host on the inside of the network to a host on the outside of the network.
Decode the debug output by using the following key points:

• The asterisk next to NAT indicates that the translation is occurring in the fast-switched path. The first packet in a conversation will always go through the slow path, which means this first packet is process-switched. The remaining packets will go through the fast-switched path if a cache entry exists.
• s = a.b.c.d is the source address.
• Source address a.b.c.d is translated to w.x.y.z.
• d = e.f.g.h is the destination address.

The value in brackets is the IP identification number. This information may be useful for debugging. This is useful, for example, because it enables correlation with other packet traces from protocol analyzers.