NATPrivileged EXEC

show xlate

Displays active Network Address Translation (NAT) translations in the ASA firewall, showing the mapping between real and mapped addresses.

Overview

The 'show xlate' command is a fundamental troubleshooting tool on Cisco ASA firewalls, used to display the current state of Network Address Translation (NAT) translations. NAT is a method of remapping one IP address space into another by modifying network address information in IP packet headers while they are in transit across a traffic routing device. On the ASA, NAT is configured using object NAT or twice NAT, and the translations are dynamically created and maintained in the translation table. This command is essential for verifying that NAT is functioning as intended, especially when users report connectivity issues to external networks. It shows the mapping between real (private) and mapped (public) addresses, along with protocol, ports, and timers. The output helps engineers confirm that traffic is being translated correctly, identify whether translations are static or dynamic, and monitor the number of active translations to avoid exhausting the translation table. In troubleshooting workflows, 'show xlate' is often used after verifying NAT rules with 'show nat' and before checking connection states with 'show conn'. It provides a real-time snapshot of the translation table, which is critical for diagnosing asymmetric routing, PAT pool exhaustion, or misconfigured static NAT entries.

Syntax·Privileged EXEC
show xlate [detail] [global global_ip] [local local_ip] [port port] [protocol {tcp | udp}] [state {static | dynamic}] [interface if_name] [count]

When to Use This Command

  • Verify that NAT translations are being created correctly for internal users accessing the internet.
  • Troubleshoot connectivity issues when a host behind NAT cannot reach an external server.
  • Monitor the number of active translations to ensure the translation table is not exhausted.
  • Check the state of specific translations (e.g., static vs dynamic) for security auditing.

Parameters

ParameterSyntaxDescription
detaildetailDisplays additional information per translation, including flags (static/dynamic), byte counts, and per-session details. Useful for in-depth analysis.
global global_ipglobal global_ipFilters translations by the mapped (global) IP address. Helps isolate translations for a specific public IP.
local local_iplocal local_ipFilters translations by the real (local) IP address. Useful for checking translations for a specific internal host.
port portport portFilters translations by port number. Can be combined with protocol to narrow down to specific services.
protocol {tcp | udp}protocol {tcp | udp}Filters translations by protocol (TCP or UDP). Useful for focusing on specific traffic types.
state {static | dynamic}state {static | dynamic}Filters translations by state: static (permanent) or dynamic (temporary). Helps distinguish between different NAT types.
interface if_nameinterface if_nameFilters translations by interface name (e.g., inside, outside). Useful for seeing translations on a specific network segment.
countcountDisplays only the count of translations without listing each one. Quick way to check translation table size.

Command Examples

Basic show xlate output

show xlate
2 in use, 2 most used
Flags: D - DNS, I - dynamic, r - portmap, s - static, T - twice, PAT - PAT
NAT from inside:10.1.1.10 to outside:203.0.113.10
    tcp 203.0.113.10:12345 10.1.1.10:54321 idle 0:01:23 timeout 0:30:00
NAT from inside:10.1.1.20 to outside:203.0.113.20
    icmp 203.0.113.20:12345 10.1.1.20:54321 idle 0:00:45 timeout 0:00:30

First line shows total translations in use and peak usage. Second line explains flags. Each translation shows the NAT direction, real and mapped addresses, protocol, ports, idle time, and timeout.

Detailed show xlate output

show xlate detail
2 in use, 2 most used
Flags: D - DNS, I - dynamic, r - portmap, s - static, T - twice, PAT - PAT
NAT from inside:10.1.1.10 to outside:203.0.113.10 flags s idle 0:01:23 timeout 0:30:00
  TCP 203.0.113.10:12345 10.1.1.10:54321, idle 0:01:23, timeout 0:30:00, bytes 1024
NAT from inside:10.1.1.20 to outside:203.0.113.20 flags i idle 0:00:45 timeout 0:00:30
  ICMP 203.0.113.20:12345 10.1.1.20:54321, idle 0:00:45, timeout 0:00:30, bytes 512

Detail mode adds flags (s=static, i=dynamic), byte counts, and per-session details. Useful for identifying traffic volume and translation type.

Understanding the Output

The 'show xlate' command output begins with a summary line indicating the number of translations currently in use and the peak count since the last reset. The second line defines the flags that appear in subsequent entries: D for DNS, I for dynamic, r for portmap, s for static, T for twice NAT, and PAT for Port Address Translation. Each translation entry shows the NAT direction (e.g., 'NAT from inside:10.1.1.10 to outside:203.0.113.10'), followed by protocol-specific details. For TCP/UDP, it shows the mapped IP:port and real IP:port, along with idle time (how long since last packet) and timeout (remaining lifetime). For ICMP, it shows the mapped and real IPs with an ICMP identifier. Healthy values show low idle times (indicating active traffic) and timeouts that match configured values. Problem indicators include high idle times near timeout (suggesting stale translations), or a translation count approaching the platform limit (e.g., 65536 for PAT). The 'detail' option adds flags (s=static, i=dynamic), byte counts, and per-session breakdowns, which help in identifying translation type and traffic volume.

Configuration Scenarios

Verifying Dynamic PAT for Internet Access

A company uses dynamic PAT (Port Address Translation) to allow internal users to access the internet via a single public IP address.

Topology

Internet --- ASA (outside:203.0.113.1) --- inside:10.1.1.0/24

Steps

  1. 1.Configure dynamic PAT on the ASA: 'nat (inside,outside) dynamic interface'.
  2. 2.Have a user on 10.1.1.10 initiate a web request to an external server.
  3. 3.Run 'show xlate' to verify the translation is created.
Configuration
! Configure dynamic PAT
nat (inside,outside) dynamic interface

Verify: Run 'show xlate' and look for an entry like 'NAT from inside:10.1.1.10 to outside:203.0.113.1' with PAT flag. Check idle time to confirm active traffic.

Watch out: If the translation does not appear, verify that the NAT rule is applied to the correct interface pair and that the traffic is not being blocked by an ACL.

Troubleshooting Static NAT for a Web Server

A web server at 10.1.1.100 must be reachable from the internet via public IP 203.0.113.100.

Topology

Internet --- ASA (outside:203.0.113.1) --- DMZ:10.1.1.100

Steps

  1. 1.Configure static NAT: 'nat (dmz,outside) static 203.0.113.100 service tcp www www'.
  2. 2.From an external host, attempt to access http://203.0.113.100.
  3. 3.Run 'show xlate' to verify the static translation is active.
Configuration
! Configure static NAT for web server
nat (dmz,outside) static 203.0.113.100 service tcp www www

Verify: Run 'show xlate' and look for an entry with 's' flag (static). The translation should show the real IP 10.1.1.100 and mapped IP 203.0.113.100. Also check 'show conn' for the TCP connection.

Watch out: Ensure that an access-list allows inbound traffic to the mapped IP on port 80. Also verify that the web server's default gateway points to the ASA's DMZ interface.

Troubleshooting with This Command

The 'show xlate' command is invaluable for troubleshooting NAT-related issues on Cisco ASA firewalls. When users cannot access external resources, the first step is to check if translations are being created. Run 'show xlate' and look for entries matching the source IP of the user. If no translation exists, the problem may be with the NAT configuration or traffic not reaching the ASA. Verify that the NAT rule is correctly applied to the interface pair and that the traffic is permitted by access-lists. If translations appear but traffic still fails, examine the flags: a 'PAT' flag indicates dynamic PAT, while 's' indicates static. Check the idle time; if it is high (close to timeout), the translation may be stale or the traffic is not flowing. Use 'show xlate detail' to see byte counts; zero bytes suggest the translation is not being used. For PAT exhaustion, the translation count may reach the platform limit (e.g., 65536), causing new translations to fail. Use 'show xlate count' to quickly check the total. If the count is high, consider increasing PAT pool addresses or using a different NAT method. For asymmetric routing issues, translations may appear on one direction but not the other; use 'show xlate' with the 'detail' option to see both directions. Additionally, compare with 'show conn' to ensure connections are established. If translations are being cleared prematurely, check the timeout values configured under 'timeout xlate' or per-protocol timeouts. Finally, remember that 'clear xlate' can be used to reset the translation table for testing, but it will disrupt active sessions.

CCNA Exam Tips

1.

Remember that 'show xlate' is used to verify NAT operations; know the difference between static (s flag) and dynamic (i flag) translations.

2.

Be able to interpret the idle and timeout fields: idle time resets with each packet, timeout is the maximum idle period before the translation is removed.

3.

Understand that 'show xlate count' gives a quick summary without listing all translations, useful for checking translation limits.

Common Mistakes

Confusing 'show xlate' with 'show nat' - 'show nat' displays NAT rules, while 'show xlate' shows active translations.

Assuming all translations are TCP/UDP; ICMP and other protocols also appear with their own identifiers.

Overlooking the flags field; for example, missing the 'PAT' flag can lead to misunderstanding the type of NAT.

Platform Notes

On Cisco ASA, 'show xlate' is specific to the ASA platform and differs from Cisco IOS where similar functionality is provided by 'show ip nat translations'. The ASA uses a stateful firewall architecture, and translations are tied to connections. The output includes flags that are unique to ASA, such as 'T' for twice NAT and 'r' for portmap. In ASA version 8.3 and later, NAT configuration changed significantly with the introduction of object NAT and twice NAT; 'show xlate' remains consistent across versions but the underlying NAT rules differ. On other platforms like Palo Alto or Fortinet, equivalent commands are 'show session all' or 'get session', but they do not directly show NAT translations. The ASA also supports 'show xlate count' for a quick summary, which is not available on IOS. When migrating from ASA to other platforms, engineers must adapt to different command syntaxes and output formats. Version differences: in ASA 8.4(2) and later, the 'detail' option provides more granular per-session information. Always consult the specific version documentation for any changes.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions