Courseiva
DebugPrivileged EXEC

debug ip nat

Use debug ip nat to monitor and troubleshoot NAT translations in real time on a Cisco router, displaying each packet's translation details as they occur.

Syntax·Privileged EXEC
debug ip nat

When to Use This Command

  • Verify that internal hosts are correctly translating to public IP addresses when accessing the internet.
  • Troubleshoot why certain traffic is not being translated or is being dropped by NAT.
  • Monitor NAT pool exhaustion or overload (PAT) behavior during peak usage.
  • Identify misconfigured access-lists or route-maps that affect NAT translations.

Command Examples

Basic NAT translation debug

debug ip nat
NAT: s=192.168.1.10->10.0.0.10, d=8.8.8.8 [12345]
NAT: s=8.8.8.8, d=10.0.0.10->192.168.1.10 [54321]

First line: Outbound packet from inside host 192.168.1.10 is translated to 10.0.0.10 (inside global) destined to 8.8.8.8. Second line: Return packet from 8.8.8.8 to 10.0.0.10 is translated back to 192.168.1.10. The numbers in brackets are IP identification fields.

Debug with verbose output

debug ip nat verbose
NAT: i: icmp (192.168.1.10, 1) -> (10.0.0.10, 1) [12345]
NAT: o: icmp (8.8.8.8, 1) -> (192.168.1.10, 1) [54321]

The 'i:' indicates an inside-to-outside translation, 'o:' indicates outside-to-inside. Protocol (icmp), source IP and port/ICMP ID, translated IP and port/ID are shown. Useful for seeing protocol details.

Understanding the Output

The debug ip nat output shows each packet as it is translated. The format is: NAT: s=source_address->translated_source, d=destination_address->translated_destination [IP_ID]. For inside-to-outside, the source is translated; for outside-to-inside, the destination is translated. The IP identification number helps correlate packets. In verbose mode, you see direction (i: inside, o: outside), protocol, and port/ICMP ID. A healthy NAT shows consistent translations; missing translations or 'NAT: *' errors indicate problems like ACL misconfiguration or pool exhaustion. Watch for 'NAT: translation failed' messages which mean no translation entry could be created.

CCNA Exam Tips

1.

Remember that debug ip nat is a privileged EXEC command and can generate high CPU load; always use with caution and disable with 'undebug all'.

2.

The exam may ask you to identify the direction of translation (inside-to-outside vs outside-to-inside) based on the output format.

3.

Know that verbose mode shows protocol and port information, which is useful for PAT troubleshooting.

4.

Be aware that debug output does not show static NAT translations unless traffic is actively being translated.

Common Mistakes

Leaving debug enabled after troubleshooting, causing router performance degradation or crash.

Confusing the source and destination fields: 's=' is always the original source before translation, 'd=' is the original destination.

Using debug ip nat without first verifying NAT configuration (show ip nat translations) leading to no output and wasted time.

Related Commands

clear ip nat translation *

Clears all dynamic NAT translations from the translation table, forcing the router to rebuild translations for new traffic.

show ip nat statistics

Displays statistics about NAT translations, including active translations, hit counts, and configuration parameters, used to verify NAT operation and troubleshoot translation issues.

show ip nat translations

Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions