show xlate
Displays active Network Address Translation (NAT) translations in the ASA firewall, showing the mapping between real and mapped addresses.
Overview
The 'show xlate' command is a fundamental troubleshooting tool on Cisco ASA firewalls, used to display the current state of Network Address Translation (NAT) translations. NAT is a method of remapping one IP address space into another by modifying network address information in IP packet headers while they are in transit across a traffic routing device. On the ASA, NAT is configured using object NAT or twice NAT, and the translations are dynamically created and maintained in the translation table. This command is essential for verifying that NAT is functioning as intended, especially when users report connectivity issues to external networks. It shows the mapping between real (private) and mapped (public) addresses, along with protocol, ports, and timers. The output helps engineers confirm that traffic is being translated correctly, identify whether translations are static or dynamic, and monitor the number of active translations to avoid exhausting the translation table. In troubleshooting workflows, 'show xlate' is often used after verifying NAT rules with 'show nat' and before checking connection states with 'show conn'. It provides a real-time snapshot of the translation table, which is critical for diagnosing asymmetric routing, PAT pool exhaustion, or misconfigured static NAT entries.
show xlate [detail] [global global_ip] [local local_ip] [port port] [protocol {tcp | udp}] [state {static | dynamic}] [interface if_name] [count]When to Use This Command
- Verify that NAT translations are being created correctly for internal users accessing the internet.
- Troubleshoot connectivity issues when a host behind NAT cannot reach an external server.
- Monitor the number of active translations to ensure the translation table is not exhausted.
- Check the state of specific translations (e.g., static vs dynamic) for security auditing.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| detail | detail | Displays additional information per translation, including flags (static/dynamic), byte counts, and per-session details. Useful for in-depth analysis. |
| global global_ip | global global_ip | Filters translations by the mapped (global) IP address. Helps isolate translations for a specific public IP. |
| local local_ip | local local_ip | Filters translations by the real (local) IP address. Useful for checking translations for a specific internal host. |
| port port | port port | Filters translations by port number. Can be combined with protocol to narrow down to specific services. |
| protocol {tcp | udp} | protocol {tcp | udp} | Filters translations by protocol (TCP or UDP). Useful for focusing on specific traffic types. |
| state {static | dynamic} | state {static | dynamic} | Filters translations by state: static (permanent) or dynamic (temporary). Helps distinguish between different NAT types. |
| interface if_name | interface if_name | Filters translations by interface name (e.g., inside, outside). Useful for seeing translations on a specific network segment. |
| count | count | Displays only the count of translations without listing each one. Quick way to check translation table size. |
Command Examples
Basic show xlate output
show xlate2 in use, 2 most used
Flags: D - DNS, I - dynamic, r - portmap, s - static, T - twice, PAT - PAT
NAT from inside:10.1.1.10 to outside:203.0.113.10
tcp 203.0.113.10:12345 10.1.1.10:54321 idle 0:01:23 timeout 0:30:00
NAT from inside:10.1.1.20 to outside:203.0.113.20
icmp 203.0.113.20:12345 10.1.1.20:54321 idle 0:00:45 timeout 0:00:30First line shows total translations in use and peak usage. Second line explains flags. Each translation shows the NAT direction, real and mapped addresses, protocol, ports, idle time, and timeout.
Detailed show xlate output
show xlate detail2 in use, 2 most used Flags: D - DNS, I - dynamic, r - portmap, s - static, T - twice, PAT - PAT NAT from inside:10.1.1.10 to outside:203.0.113.10 flags s idle 0:01:23 timeout 0:30:00 TCP 203.0.113.10:12345 10.1.1.10:54321, idle 0:01:23, timeout 0:30:00, bytes 1024 NAT from inside:10.1.1.20 to outside:203.0.113.20 flags i idle 0:00:45 timeout 0:00:30 ICMP 203.0.113.20:12345 10.1.1.20:54321, idle 0:00:45, timeout 0:00:30, bytes 512
Detail mode adds flags (s=static, i=dynamic), byte counts, and per-session details. Useful for identifying traffic volume and translation type.
Understanding the Output
The 'show xlate' command output begins with a summary line indicating the number of translations currently in use and the peak count since the last reset. The second line defines the flags that appear in subsequent entries: D for DNS, I for dynamic, r for portmap, s for static, T for twice NAT, and PAT for Port Address Translation. Each translation entry shows the NAT direction (e.g., 'NAT from inside:10.1.1.10 to outside:203.0.113.10'), followed by protocol-specific details. For TCP/UDP, it shows the mapped IP:port and real IP:port, along with idle time (how long since last packet) and timeout (remaining lifetime). For ICMP, it shows the mapped and real IPs with an ICMP identifier. Healthy values show low idle times (indicating active traffic) and timeouts that match configured values. Problem indicators include high idle times near timeout (suggesting stale translations), or a translation count approaching the platform limit (e.g., 65536 for PAT). The 'detail' option adds flags (s=static, i=dynamic), byte counts, and per-session breakdowns, which help in identifying translation type and traffic volume.
Configuration Scenarios
Verifying Dynamic PAT for Internet Access
A company uses dynamic PAT (Port Address Translation) to allow internal users to access the internet via a single public IP address.
Topology
Internet --- ASA (outside:203.0.113.1) --- inside:10.1.1.0/24Steps
- 1.Configure dynamic PAT on the ASA: 'nat (inside,outside) dynamic interface'.
- 2.Have a user on 10.1.1.10 initiate a web request to an external server.
- 3.Run 'show xlate' to verify the translation is created.
! Configure dynamic PAT nat (inside,outside) dynamic interface
Verify: Run 'show xlate' and look for an entry like 'NAT from inside:10.1.1.10 to outside:203.0.113.1' with PAT flag. Check idle time to confirm active traffic.
Watch out: If the translation does not appear, verify that the NAT rule is applied to the correct interface pair and that the traffic is not being blocked by an ACL.
Troubleshooting Static NAT for a Web Server
A web server at 10.1.1.100 must be reachable from the internet via public IP 203.0.113.100.
Topology
Internet --- ASA (outside:203.0.113.1) --- DMZ:10.1.1.100Steps
- 1.Configure static NAT: 'nat (dmz,outside) static 203.0.113.100 service tcp www www'.
- 2.From an external host, attempt to access http://203.0.113.100.
- 3.Run 'show xlate' to verify the static translation is active.
! Configure static NAT for web server nat (dmz,outside) static 203.0.113.100 service tcp www www
Verify: Run 'show xlate' and look for an entry with 's' flag (static). The translation should show the real IP 10.1.1.100 and mapped IP 203.0.113.100. Also check 'show conn' for the TCP connection.
Watch out: Ensure that an access-list allows inbound traffic to the mapped IP on port 80. Also verify that the web server's default gateway points to the ASA's DMZ interface.
Troubleshooting with This Command
The 'show xlate' command is invaluable for troubleshooting NAT-related issues on Cisco ASA firewalls. When users cannot access external resources, the first step is to check if translations are being created. Run 'show xlate' and look for entries matching the source IP of the user. If no translation exists, the problem may be with the NAT configuration or traffic not reaching the ASA. Verify that the NAT rule is correctly applied to the interface pair and that the traffic is permitted by access-lists. If translations appear but traffic still fails, examine the flags: a 'PAT' flag indicates dynamic PAT, while 's' indicates static. Check the idle time; if it is high (close to timeout), the translation may be stale or the traffic is not flowing. Use 'show xlate detail' to see byte counts; zero bytes suggest the translation is not being used. For PAT exhaustion, the translation count may reach the platform limit (e.g., 65536), causing new translations to fail. Use 'show xlate count' to quickly check the total. If the count is high, consider increasing PAT pool addresses or using a different NAT method. For asymmetric routing issues, translations may appear on one direction but not the other; use 'show xlate' with the 'detail' option to see both directions. Additionally, compare with 'show conn' to ensure connections are established. If translations are being cleared prematurely, check the timeout values configured under 'timeout xlate' or per-protocol timeouts. Finally, remember that 'clear xlate' can be used to reset the translation table for testing, but it will disrupt active sessions.
CCNA Exam Tips
Remember that 'show xlate' is used to verify NAT operations; know the difference between static (s flag) and dynamic (i flag) translations.
Be able to interpret the idle and timeout fields: idle time resets with each packet, timeout is the maximum idle period before the translation is removed.
Understand that 'show xlate count' gives a quick summary without listing all translations, useful for checking translation limits.
Common Mistakes
Confusing 'show xlate' with 'show nat' - 'show nat' displays NAT rules, while 'show xlate' shows active translations.
Assuming all translations are TCP/UDP; ICMP and other protocols also appear with their own identifiers.
Overlooking the flags field; for example, missing the 'PAT' flag can lead to misunderstanding the type of NAT.
Platform Notes
On Cisco ASA, 'show xlate' is specific to the ASA platform and differs from Cisco IOS where similar functionality is provided by 'show ip nat translations'. The ASA uses a stateful firewall architecture, and translations are tied to connections. The output includes flags that are unique to ASA, such as 'T' for twice NAT and 'r' for portmap. In ASA version 8.3 and later, NAT configuration changed significantly with the introduction of object NAT and twice NAT; 'show xlate' remains consistent across versions but the underlying NAT rules differ. On other platforms like Palo Alto or Fortinet, equivalent commands are 'show session all' or 'get session', but they do not directly show NAT translations. The ASA also supports 'show xlate count' for a quick summary, which is not available on IOS. When migrating from ASA to other platforms, engineers must adapt to different command syntaxes and output formats. Version differences: in ASA 8.4(2) and later, the 'detail' option provides more granular per-session information. Always consult the specific version documentation for any changes.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions