Courseiva
DebugPrivileged EXEC

debug ip nat detailed

Use this command to enable detailed debugging of NAT translations, showing packet-by-packet translation details including inside/outside addresses and port numbers, typically for troubleshooting NAT issues.

Syntax·Privileged EXEC
debug ip nat detailed

When to Use This Command

  • Troubleshooting why internal hosts cannot access the internet through NAT
  • Verifying that NAT translations are occurring correctly for specific traffic flows
  • Diagnosing asymmetric routing or NAT pool exhaustion issues
  • Investigating port address translation (PAT) behavior for multiple internal hosts

Command Examples

Basic debug ip nat detailed output

debug ip nat detailed
NAT: s=192.168.1.10->10.0.0.1, d=8.8.8.8 [12345]
NAT: s=8.8.8.8, d=10.0.0.1->192.168.1.10 [54321]
NAT: s=192.168.1.10->10.0.0.1, d=8.8.8.8 [12346]
NAT: s=8.8.8.8, d=10.0.0.1->192.168.1.10 [54322]

Each line shows a NAT translation event. 's=' is source address, 'd=' is destination address. The arrow indicates translation direction. Inside local (192.168.1.10) translates to inside global (10.0.0.1) for outbound traffic; reverse for inbound. The number in brackets is the packet ID for correlation.

Debug with ACL filter

debug ip nat detailed 100
NAT: s=192.168.1.10->10.0.0.1, d=8.8.8.8 [12345]
NAT: s=8.8.8.8, d=10.0.0.1->192.168.1.10 [54321]

Filtering by ACL 100 limits debug output to packets matching the ACL. This reduces noise when troubleshooting specific traffic.

Understanding the Output

The debug output shows each packet that undergoes NAT translation. Each line begins with 'NAT:' followed by the translation details. For outbound traffic, the source address changes from inside local to inside global (s=192.168.1.10->10.0.0.1). For inbound replies, the destination address changes from inside global to inside local (d=10.0.0.1->192.168.1.10). The packet ID in brackets helps match request and reply. If you see 'NAT: translation failed' or no output when traffic is flowing, check NAT configuration and ACLs. Excessive output may indicate a misconfiguration or attack.

CCNA Exam Tips

1.

CCNA exam may ask which command to use to see real-time NAT translations; 'debug ip nat detailed' is the answer.

2.

Remember that debug commands are CPU-intensive; always use with caution and turn off with 'undebug all'.

3.

The exam might test that 'debug ip nat detailed' shows inside local to inside global mapping.

4.

Be aware that ACL filtering can be applied to debug to limit output to specific traffic.

Common Mistakes

Leaving debug enabled after troubleshooting, causing high CPU usage and potential router crash.

Confusing 'debug ip nat' (summary) with 'debug ip nat detailed' (packet-level).

Forgetting to use 'access-list' to filter debug output, resulting in overwhelming console messages.

Related Commands

debug ip nat

Use debug ip nat to monitor and troubleshoot NAT translations in real time on a Cisco router, displaying each packet's translation details as they occur.

show ip nat statistics

Displays statistics about NAT translations, including active translations, hit counts, and configuration parameters, used to verify NAT operation and troubleshoot translation issues.

show ip nat translations

Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions