show nat
Displays the current Network Address Translation (NAT) configuration on the Cisco ASA Firewall.
Overview
The 'show nat' command is a fundamental diagnostic tool on Cisco ASA Firewalls for inspecting Network Address Translation (NAT) configurations. NAT is a critical networking concept that allows private IP addresses to be translated to public IP addresses for internet access, or to map internal servers to external addresses. On ASA, NAT policies are divided into two sections: Manual NAT (Section 1) and Auto NAT (Section 2). Manual NAT offers more flexibility with order control and can include 'after-auto' to place rules after Auto NAT. Auto NAT is simpler, configured within object definitions. The 'show nat' command displays all configured NAT rules, their order, and hit counters indicating how many packets have been translated. It is used during initial configuration verification, troubleshooting connectivity issues (e.g., when traffic fails to reach the internet or a server is unreachable), and auditing for security compliance. In troubleshooting workflows, after identifying a problem, an engineer runs 'show nat' to confirm that the expected NAT rule exists and is being hit. If hit counts are zero, further investigation into rule order, interface matching, or object definitions is needed. The command is also useful for checking the impact of NAT on VPN traffic or when integrating with other features like access-lists. Understanding the output helps engineers quickly pinpoint misconfigurations such as overlapping rules, incorrect interface assignments, or missing translations.
show nat [interface if_name] [static | dynamic] [after-auto] [detail] [verbose] [match (host ip | net netmask)]When to Use This Command
- Verify NAT rules after configuration changes to ensure traffic is translated as expected.
- Troubleshoot connectivity issues where traffic is not being translated or is hitting the wrong NAT rule.
- Audit NAT policies for security compliance and identify any overlapping or redundant rules.
- Check the order of NAT rules, especially when using manual NAT with after-auto to ensure proper precedence.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| interface if_name | interface if_name | Filters the output to show only NAT rules that apply to the specified interface (e.g., inside, outside). Useful for focusing on a specific segment. |
| static | static | Displays only static NAT rules (one-to-one mappings). Helps isolate static translations from dynamic ones. |
| dynamic | dynamic | Displays only dynamic NAT rules (including PAT). Useful for reviewing dynamic translations. |
| after-auto | after-auto | Shows only manual NAT rules that are configured with the 'after-auto' keyword, which places them after Auto NAT rules. |
| detail | detail | Provides additional information such as source and translated IP ranges, descriptions, and more verbose output. |
| verbose | verbose | Displays even more detailed information, including the exact match criteria and hit counts per rule. |
| match (host ip | net netmask) | match (host ip | net netmask) | Filters rules that match a specific host IP or network. Useful for checking which NAT rule applies to a particular address. |
Command Examples
Basic NAT Configuration Display
show natManual NAT Policies (Section 1) 1 (inside) to (outside) source dynamic inside-net interface - translate_hits = 15, untranslate_hits = 10 2 (inside) to (outside) source static host1 host2 - translate_hits = 0, untranslate_hits = 0 Auto NAT Policies (Section 2) 3 (inside) to (outside) source dynamic obj-10.0.0.0 interface - translate_hits = 5, untranslate_hits = 3
Line 1: Manual NAT rule #1 translates source network 'inside-net' dynamically to the outside interface IP. Line 2: Manual NAT rule #2 is a static NAT for host1 to host2. Line 3: Auto NAT rule #3 dynamically translates obj-10.0.0.0 to the interface IP. Each rule shows hit counts for translation and untranslation.
Detailed NAT Output
show nat detailManual NAT Policies (Section 1) 1 (inside) to (outside) source dynamic inside-net interface - translate_hits = 15, untranslate_hits = 10 - Source IP: 10.0.0.0/24, Translated IP: 192.168.1.1 - Description: PAT for internal users Auto NAT Policies (Section 2) 2 (inside) to (outside) source dynamic obj-10.0.0.0 interface - translate_hits = 5, untranslate_hits = 3 - Source IP: 10.0.0.0/24, Translated IP: 192.168.1.1 - Description: Auto NAT for subnet
The 'detail' option adds source and translated IP ranges and optional descriptions. This helps identify exactly which networks are being translated and to what addresses.
Understanding the Output
The 'show nat' command output is organized by NAT sections: Manual NAT (Section 1) and Auto NAT (Section 2). Each rule is numbered sequentially. For each rule, you see the direction (source interface to destination interface), the type (static or dynamic), the original source object/network, and the translated address (often 'interface' for PAT). The hit counters 'translate_hits' and 'untranslate_hits' indicate how many packets have been translated and untranslated respectively. High hit counts confirm the rule is being used; zero hits may indicate a misconfiguration or that traffic is not matching. In detailed output, additional fields like source IP, translated IP, and description appear. Healthy values show non-zero hit counts for active rules; problem values include zero hits for expected traffic or overlapping rules that cause incorrect translation. The order of rules is critical; the first matching rule is applied. Use 'show nat' to verify rule order and ensure desired behavior.
Configuration Scenarios
Basic PAT for Internal Users
A company has an internal network 10.0.0.0/24 and wants all users to access the internet using the outside interface IP 192.168.1.1 via PAT.
Topology
Internet --- ASA (outside: 192.168.1.1) --- (inside: 10.0.0.1) --- Internal Network 10.0.0.0/24Steps
- 1.Create a network object for the internal subnet: object network inside-net subnet 10.0.0.0 255.255.255.0
- 2.Configure dynamic PAT: nat (inside,outside) source dynamic inside-net interface
! Configuration object network inside-net subnet 10.0.0.0 255.255.255.0 nat (inside,outside) source dynamic inside-net interface
Verify: Run 'show nat' to verify the rule appears with correct interfaces and source object. Check hit counts increment when internal users access the internet.
Watch out: Ensure the access-list on the outside interface permits return traffic; otherwise, translations may be created but traffic fails.
Static NAT for a Web Server
A web server at 10.0.0.10 needs to be accessible from the internet via public IP 192.168.1.10.
Topology
Internet --- ASA (outside: 192.168.1.1) --- (inside: 10.0.0.1) --- Web Server 10.0.0.10Steps
- 1.Create a network object for the server: object network web-server host 10.0.0.10
- 2.Configure static NAT: nat (inside,outside) source static web-server 192.168.1.10
! Configuration object network web-server host 10.0.0.10 nat (inside,outside) source static web-server 192.168.1.10
Verify: Run 'show nat' to see the static rule. Use 'show xlate' to confirm active translation when traffic hits. Test from outside by pinging 192.168.1.10.
Watch out: Remember to configure an access-list allowing inbound traffic to the public IP; otherwise, the ASA will drop packets before NAT.
Troubleshooting with This Command
When troubleshooting NAT issues on a Cisco ASA, the 'show nat' command is your first step to verify that the expected NAT rules are configured and in the correct order. Start by running 'show nat' without options to see all rules. Look for the rule that should match your traffic. Check the hit counters: if 'translate_hits' is zero, the rule is not being used. Possible reasons include: the traffic is matching a previous rule (order issue), the source/destination interfaces are incorrect, the object definitions are wrong, or the traffic is not reaching the ASA. Use 'show nat detail' to see more specifics like IP ranges. If you suspect an order problem, use 'show nat' to list rules in sequence; manual NAT rules (Section 1) are processed before auto NAT (Section 2) unless 'after-auto' is used. You can also use 'show nat interface inside' to filter for a specific interface. For deeper analysis, combine with 'show xlate' to see active translations and 'show access-list' to verify permit rules. If hit counts are incrementing but traffic still fails, the issue may be with routing or access-lists. For example, if a static NAT rule has hits but the server is unreachable, check that the ASA has a route to the real server and that the access-list on the outside interface permits the traffic. Also, ensure that the NAT rule is not being overridden by a higher-priority rule. Use 'show nat match host 10.0.0.10' to see which rule matches a specific IP. In summary, 'show nat' helps isolate configuration errors, while complementary commands pinpoint the exact cause.
CCNA Exam Tips
Remember that 'show nat' displays both manual and auto NAT policies; manual NAT has higher priority by default unless 'after-auto' is used.
Hit counts are crucial for troubleshooting; zero hits may indicate the rule is not being matched or is shadowed by a previous rule.
The 'detail' option provides additional information like translated IP ranges and descriptions, which can be helpful in exam scenarios.
Common Mistakes
Confusing 'show nat' with 'show xlate'; 'show nat' shows configuration, while 'show xlate' shows active translations.
Forgetting that NAT rules are processed in order; a rule with zero hits might be shadowed by a preceding rule.
Assuming 'show nat' shows real-time translation statistics; it shows cumulative hit counts since the last clear, not current active translations.
Platform Notes
On Cisco ASA, NAT configuration differs significantly from Cisco IOS routers. ASA uses a two-section NAT architecture (manual and auto), whereas IOS uses traditional NAT with ip nat inside/outside commands. The 'show nat' command on ASA is equivalent to 'show ip nat translations' on IOS but shows configuration rather than active translations. On ASA, 'show xlate' is the counterpart for active translations. ASA also supports 'after-auto' to change rule priority, which has no direct IOS equivalent. In terms of version differences, ASA 8.3 and later introduced the current NAT model; earlier versions used a different syntax. The 'show nat' command output has remained consistent since 8.3. For ASA running in transparent firewall mode, NAT is not supported, so 'show nat' would return no output. When migrating from PIX to ASA, note that the command set is similar but with enhancements. On other platforms like FTD (Firepower Threat Defense), the equivalent command is 'show nat' as well, but configuration is managed via FMC. Understanding these platform-specific behaviors is crucial for network engineers working in multi-vendor environments.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions