show nat pool
Displays the current NAT pool configuration, including pool name, IP address range, and usage statistics.
Overview
The 'show nat pool' command on Cisco ASA Firewall is used to display the configuration and current utilization of NAT (Network Address Translation) pools. A NAT pool is a range of public IP addresses that the ASA can use to translate private IP addresses from internal hosts to public addresses when traffic exits through a specific interface. This command is essential for verifying that NAT pools are correctly defined and for monitoring address consumption. The concept behind NAT pools is to provide a set of reusable public IPs for outbound or inbound translations. When a host initiates a connection, the ASA selects an available IP from the pool (and a port if PAT is enabled) to create a translation. The command shows key parameters: pool name, IP range, subnet mask, PAT status, associated interface, and address counts. On Cisco ASA, NAT pools are configured under global NAT or object NAT policies. This command fits into troubleshooting workflows when users report connectivity issues; checking pool utilization can quickly reveal if the pool is exhausted. Unlike Cisco IOS routers, the ASA uses a stateful firewall approach and tracks translations in the xlate table. The 'show nat pool' command is read-only and does not affect translations. It is commonly used after configuration changes to ensure the pool is correctly applied, or during capacity planning to determine if additional addresses are needed.
show nat pool [pool-name]When to Use This Command
- Verify that a NAT pool has been correctly configured with the expected IP address range.
- Monitor the number of used and available addresses in a NAT pool to plan for expansion.
- Troubleshoot NAT failures by checking if a pool is exhausted or misconfigured.
- Audit NAT pool assignments after configuration changes or during network maintenance.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| pool-name | pool-name | Optional parameter to display a specific NAT pool by name. If omitted, all configured NAT pools are shown. The pool name is case-sensitive and must match exactly as configured. |
Command Examples
Display all NAT pools
show nat poolNAT Pool Global:
pool-name: MY_POOL
start-address: 203.0.113.10
end-address: 203.0.113.20
netmask: 255.255.255.0
pat: enabled
interface: outside
total addresses: 11
used addresses: 5
available addresses: 6
pool-name: SECOND_POOL
start-address: 198.51.100.1
end-address: 198.51.100.10
netmask: 255.255.255.0
pat: disabled
interface: inside
total addresses: 10
used addresses: 10
available addresses: 0Shows two NAT pools. MY_POOL has PAT enabled, 11 total addresses with 5 in use. SECOND_POOL has PAT disabled, all 10 addresses are used (exhausted).
Display a specific NAT pool
show nat pool MY_POOLNAT Pool MY_POOL: start-address: 203.0.113.10 end-address: 203.0.113.20 netmask: 255.255.255.0 pat: enabled interface: outside total addresses: 11 used addresses: 5 available addresses: 6
Displays details for pool MY_POOL only. PAT is enabled, meaning multiple internal hosts can share a single public IP. 5 addresses are currently in use.
Understanding the Output
The 'show nat pool' command output lists each configured NAT pool with its parameters. The pool-name identifies the pool. start-address and end-address define the IP address range. netmask indicates the subnet mask for the pool. pat shows whether Port Address Translation (PAT) is enabled (yes) or disabled (no). interface specifies which ASA interface the pool is associated with. total addresses is the number of IPs in the range. used addresses shows how many are currently allocated to NAT translations. available addresses is the difference between total and used. A healthy pool has available addresses greater than zero. A problem value is when available addresses is zero, indicating pool exhaustion, which will cause new NAT translations to fail until old translations time out or are cleared. If PAT is disabled, each translation consumes a full IP address, so exhaustion can occur quickly with many concurrent flows. If PAT is enabled, many translations can share an IP, but port exhaustion is still possible. Monitoring used vs available helps capacity planning and troubleshooting.
Configuration Scenarios
Configuring a NAT Pool for Outbound PAT
A company has a /28 public subnet (203.0.113.16/28) and wants to allow 200 internal users to access the internet using PAT. The pool will use 14 usable IPs.
Topology
Internal Network (10.0.0.0/8) --- ASA (outside: 203.0.113.17/28) --- InternetSteps
- 1.Create a NAT pool named OUTBOUND_PAT with the public IP range.
- 2.Configure a NAT rule to translate internal traffic to the pool with PAT enabled.
- 3.Apply the NAT rule to the outside interface.
! Create NAT pool nat (inside,outside) source dynamic any interface OUTBOUND_PAT ! Define the pool object network OUTBOUND_PAT range 203.0.113.18 203.0.113.31 ! Apply PAT nat (inside,outside) source dynamic any interface OUTBOUND_PAT pat
Verify: Use 'show nat pool OUTBOUND_PAT' to verify the pool exists and has available addresses. Use 'show xlate' to see active translations using the pool.
Watch out: Ensure the pool IPs do not overlap with the ASA interface IP or other static NATs. Also, the pool must be on the same subnet as the outside interface or routable.
Configuring a One-to-One NAT Pool for Inbound Access
A company needs to map 5 internal servers to 5 public IPs for inbound access. PAT is disabled to allow incoming connections.
Topology
Internal Servers (10.0.1.0/24) --- ASA (outside: 203.0.113.1/24) --- InternetSteps
- 1.Create a NAT pool with 5 public IPs.
- 2.Configure static NAT for each server using the pool.
- 3.Ensure no PAT is applied.
! Create pool object network SERVER_POOL range 203.0.113.10 203.0.113.14 ! Configure static NAT for each server nat (inside,outside) source static 10.0.1.10 203.0.113.10 nat (inside,outside) source static 10.0.1.11 203.0.113.11 ...
Verify: Use 'show nat pool SERVER_POOL' to see all addresses used. Use 'show xlate' to verify translations.
Watch out: One-to-one NAT pools require that each internal host has a dedicated public IP. If the pool runs out, new hosts cannot be mapped. Also, ensure the public IPs are routable from the internet.
Troubleshooting with This Command
When users report that they cannot access the internet or external resources, the 'show nat pool' command is a first step in troubleshooting NAT issues. Begin by checking if the pool exists and has available addresses. If 'available addresses' is zero, the pool is exhausted. For PAT pools, even if addresses are available, port exhaustion can occur; check 'show xlate' for many translations using the same IP. If the pool is exhausted, consider expanding the pool by adding more IPs or reducing the translation timeout. If the pool is not shown, verify that the NAT rule referencing the pool is correctly configured. Use 'show running-config nat' to see NAT rules. If the pool shows but no translations are using it, check that the NAT rule is applied to the correct interface and that traffic is matching the rule. Also, verify that the pool's subnet is reachable; if the pool IPs are not on the same subnet as the egress interface, ensure routing is in place. On ASA, NAT pools are often used with dynamic PAT; if PAT is disabled, each translation consumes an entire IP, so exhaustion happens quickly. Monitor 'used addresses' over time to predict when expansion is needed. If the pool is correctly configured but translations fail, check for ACLs blocking traffic or inspect the xlate table for errors. The 'show nat pool' command does not show per-IP usage; for that, use 'show xlate' with filters. In summary, this command quickly identifies if the pool is the bottleneck.
CCNA Exam Tips
Remember that 'show nat pool' displays configured pools, not active translations; use 'show xlate' for active translations.
Know that PAT enabled means many-to-one NAT; PAT disabled means one-to-one NAT (each translation uses a unique IP).
Be able to identify pool exhaustion (available addresses = 0) as a common cause of NAT failures on the ASA.
Common Mistakes
Confusing 'show nat pool' with 'show xlate' – the former shows pool configuration, the latter shows active translations.
Assuming PAT is always enabled; some pools may have PAT disabled, requiring one IP per translation.
Forgetting that pool exhaustion can occur even with PAT if the pool is too small or port ranges are exhausted.
Platform Notes
On Cisco ASA, NAT pools are defined using object networks with a range or subnet. The 'show nat pool' command is specific to ASA and is not available on Cisco IOS routers. On IOS, similar functionality is provided by 'show ip nat translations' and 'show ip nat statistics'. The ASA also supports 'show xlate' to view active translations. In ASA version 8.3 and later, NAT configuration moved to object-based NAT, which is more flexible. Earlier versions used policy NAT. The 'show nat pool' command works across all modern ASA versions. When migrating from PIX to ASA, the command syntax remains similar. For cloud-based ASAv, the command behaves identically. Note that on ASA, NAT pools are not used for static NAT; static NAT uses individual IP mappings. The pool command is primarily for dynamic NAT and PAT. Also, the ASA supports interface PAT (using the interface IP) without a pool; 'show nat pool' will not show interface PAT. For interface PAT, use 'show nat' or 'show running-config nat'.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions