NATPrivileged EXEC

clear xlate

Clears all or specified dynamic xlate (translation) entries from the ASA translation table, forcing new translations to be created for subsequent traffic.

Overview

The 'clear xlate' command is a vital tool in the Cisco ASA Firewall administrator's arsenal for managing Network Address Translation (NAT) translations. It is used to remove dynamic translation entries from the ASA's translation table, which maps internal private IP addresses to public global IP addresses (or vice versa). This command is particularly useful after making changes to NAT rules, as stale translations can cause traffic to be incorrectly translated or dropped. By clearing these entries, the ASA is forced to create new translations based on the updated configuration, ensuring that traffic flows according to the new policies.

The concept behind this command is the translation table, a dynamic database that the ASA maintains to keep track of active NAT sessions. Each entry includes the original source/destination IP and port, the translated IP and port, the protocol, and the state of the connection. When a packet matches a NAT rule, the ASA creates a translation entry and uses it for subsequent packets in the same session. Over time, these entries can become outdated if the NAT configuration changes, leading to issues such as asymmetric routing, connectivity failures, or security policy violations.

On the Cisco ASA Firewall, the 'clear xlate' command is executed in Privileged EXEC mode. It can be used with various filters to target specific translations, such as by local IP, global IP, port, state, or interface. This granularity allows network engineers to precisely remove only the problematic entries without affecting all active connections. The command is commonly used during troubleshooting workflows when investigating NAT-related issues. For example, if users report that they cannot access a particular server after a NAT rule change, clearing the translations for that server's IP can resolve the problem. Additionally, it is used in maintenance scenarios to reset the translation table before applying new NAT policies. Understanding how to effectively use 'clear xlate' is essential for any network professional working with Cisco ASA firewalls.

Syntax·Privileged EXEC
clear xlate [local ip1[-ip2] [netmask mask]] [global ip1[-ip2] [netmask mask]] [port port] [state state] [interface name]

When to Use This Command

  • After changing NAT rules, clear stale translations to ensure new traffic uses updated NAT policies.
  • When troubleshooting connectivity issues caused by stuck or incorrect translations, clear specific entries to force re-translation.
  • Before performing maintenance on an inside server, clear its xlate entries to prevent lingering connections.
  • To free up memory or reset the translation table in a lab environment.

Parameters

ParameterSyntaxDescription
locallocal ip1[-ip2] [netmask mask]Specifies the inside local IP address or range. If a range is given, all translations with local addresses in that range are cleared. An optional netmask can be used to define the range.
globalglobal ip1[-ip2] [netmask mask]Specifies the global (outside) IP address or range. Translations with global addresses matching this parameter are cleared.
portport portClears translations that use the specified port number. This can be used in conjunction with local or global to narrow down the selection.
statestate stateClears translations that are in a specific state, such as 'open', 'closing', or 'idle'. This is useful for removing hung or incomplete translations.
interfaceinterface nameClears translations associated with a specific interface. The interface name must match the ASA's interface configuration (e.g., 'inside', 'outside').

Command Examples

Clear all translations

clear xlate

No output is displayed. All dynamic translation entries are removed from the table.

Clear translations for a specific inside host

clear xlate local 10.1.1.100

Clears all translations where the inside local address is 10.1.1.100. No output is shown.

Clear translations for a specific global IP

clear xlate global 203.0.113.5

Clears all translations where the global (outside) address is 203.0.113.5. No output is shown.

Understanding the Output

The 'clear xlate' command does not produce any output upon successful execution. It silently removes the specified translation entries from the ASA's translation table. To verify that translations have been cleared, use the 'show xlate' command before and after the clear operation. A healthy state after clearing shows no or fewer entries; problem values would be if entries remain despite the clear command, indicating that the command may not have matched the intended criteria or that the translations are static and cannot be cleared with this command.

Configuration Scenarios

Clearing Translations After NAT Rule Change

An organization changes the NAT rule for a web server from using a specific global IP to a different one. After the change, users cannot access the server because old translations still point to the previous global IP.

Topology

Internet --- ASA (outside: 203.0.113.1) --- inside (10.1.1.0/24) Web Server: 10.1.1.100

Steps

  1. 1.Identify the old global IP used for the web server (e.g., 203.0.113.10).
  2. 2.Clear translations for that global IP: 'clear xlate global 203.0.113.10'.
  3. 3.Verify that the old translations are removed: 'show xlate global 203.0.113.10' should return no entries.
  4. 4.Test access to the web server from the outside to confirm connectivity.
Configuration
! No configuration change needed for the clear command itself.
! The NAT rule change would be something like:
! object network WEB_SERVER
!  host 10.1.1.100
! nat (inside,outside) static 203.0.113.20
! (previously was static 203.0.113.10)

Verify: Use 'show xlate' to confirm that the translation for 10.1.1.100 now uses the new global IP 203.0.113.20.

Watch out: If the web server has active connections, clearing translations will drop those connections. Ensure this is done during a maintenance window or inform users.

Clearing Translations for a Specific Inside Host

A user on the inside network (10.1.1.50) is experiencing connectivity issues to an external site. The administrator suspects a stuck translation.

Topology

Inside Host: 10.1.1.50 --- ASA --- Internet

Steps

  1. 1.Clear translations for the inside host: 'clear xlate local 10.1.1.50'.
  2. 2.Ask the user to retry the connection.
  3. 3.If the issue persists, check the NAT configuration for that host.

Verify: After clearing, the user should be able to connect. Use 'show xlate local 10.1.1.50' to see the new translation.

Watch out: Clearing translations for a host will disrupt all its active connections. Use with caution.

Troubleshooting with This Command

The 'clear xlate' command is a primary tool for troubleshooting NAT-related issues on the Cisco ASA Firewall. When users report connectivity problems that may be due to incorrect or stale translations, the first step is to examine the current translation table using 'show xlate'. If you find entries that do not match the current NAT configuration, or if you suspect that a translation is stuck (e.g., in a 'closing' state for too long), you can use 'clear xlate' to remove those entries. This forces the ASA to create new translations based on the current configuration, which often resolves the issue.

For example, if a server's NAT rule was changed but old translations persist, traffic may still be translated to the old global IP, causing asymmetric routing or access failures. By clearing the specific translations for that server's local IP, you ensure that new traffic uses the updated rule. Similarly, if a host is unable to establish new connections because its translation table is full or contains erroneous entries, clearing all translations for that host can free up resources and allow new sessions.

It is important to note that 'clear xlate' only affects dynamic translations. Static NAT entries are not removed by this command; they must be removed by deleting the static NAT configuration. Additionally, clearing translations will terminate all active connections associated with those entries. Therefore, it should be used with caution in production environments, preferably during maintenance windows or after informing affected users. After clearing, always verify with 'show xlate' that the problematic entries are gone and that new translations are being created correctly.

CCNA Exam Tips

1.

Remember that 'clear xlate' only affects dynamic translations; static NAT entries are not cleared unless you remove the static NAT configuration.

2.

On the CCNP Security exam, know that clearing translations can disrupt active connections; it should be done during maintenance windows.

3.

Be aware that the 'clear xlate' command can be filtered by local or global IP, port, state, or interface to target specific entries.

Common Mistakes

Using 'clear xlate' without any filter when only specific entries need to be cleared, causing unnecessary disruption to all active translations.

Assuming that clearing translations will immediately fix connectivity issues without verifying that the underlying NAT configuration is correct.

Forgetting that static NAT entries are not removed by 'clear xlate'; they persist until the static NAT configuration is removed.

Platform Notes

On the Cisco ASA Firewall, the 'clear xlate' command behaves similarly to the 'clear ip nat translation' command on Cisco IOS routers, but with some differences. The ASA uses a stateful firewall architecture, and its translation table is tightly integrated with the connection table. Clearing translations on the ASA also clears the associated connection entries, which can impact stateful inspection. In contrast, IOS NAT does not have the same level of stateful inspection integration.

Another difference is that the ASA supports more granular filtering options for 'clear xlate', such as by interface, port, and state. IOS NAT's 'clear ip nat translation' has fewer filtering capabilities. Additionally, the ASA's translation table includes entries for both source and destination NAT, while IOS NAT typically only tracks source NAT.

In terms of version differences, the 'clear xlate' command has been available since early ASA versions and has remained largely consistent. However, newer ASA versions (9.x and later) introduced additional features like Twice NAT, which may require clearing translations for both source and destination. The command syntax remains the same, but the underlying translation table may contain more complex entries.

For equivalent commands on other platforms, on Palo Alto Networks firewalls, the command is 'clear nat rule' or 'clear session all' to reset translations. On Check Point, you can use 'fw ctl nat -c' to clear NAT cache. Understanding these differences is important for multi-vendor environments.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions