Courseiva
NATPrivileged EXEC

show ip nat translations

Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.

Syntax·Privileged EXEC
show ip nat translations

When to Use This Command

  • Verify that internal hosts are being translated to the correct public IP addresses when accessing the internet.
  • Troubleshoot why a specific host cannot reach external resources by checking if its NAT entry exists.
  • Monitor the number of active translations to ensure NAT pools are not exhausted.
  • Identify stale or incomplete translations that may be causing asymmetric routing or connectivity drops.

Command Examples

Basic NAT translation display

show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 192.168.1.10:1024 10.0.0.10:1024     203.0.113.5:80     203.0.113.5:80
--- 192.168.1.11:2048 10.0.0.11:2048     198.51.100.2:443   198.51.100.2:443
--- 192.168.1.12:3072 10.0.0.12:3072     203.0.113.5:80     203.0.113.5:80

Each row shows a translation entry. 'Pro' indicates protocol (TCP/UDP) but is blank here. 'Inside global' is the translated public IP:port. 'Inside local' is the original private IP:port. 'Outside local' and 'Outside global' are typically the same for outbound NAT (destination IP:port).

Verbose NAT translation display

show ip nat translations verbose
Pro Inside global      Inside local       Outside local      Outside global
tcp 192.168.1.10:1024 10.0.0.10:1024     203.0.113.5:80     203.0.113.5:80
  create 00:01:30, use 00:00:15, timeout: 86400, left 23:59:45
  Map-Id(In): 1, Mac-Address: 0000.0000.0000
  Input-IDB: GigabitEthernet0/0, Output-IDB: GigabitEthernet0/1
tcp 192.168.1.11:2048 10.0.0.11:2048     198.51.100.2:443   198.51.100.2:443
  create 00:05:00, use 00:02:00, timeout: 86400, left 23:55:00
  Map-Id(In): 1, Mac-Address: 0000.0000.0000
  Input-IDB: GigabitEthernet0/0, Output-IDB: GigabitEthernet0/1

Verbose output adds timing and interface details. 'create' shows time since translation was created, 'use' shows time since last used. 'timeout' is the idle timeout (default 86400 seconds for TCP). 'left' is remaining time before timeout. 'Map-Id' references the NAT rule. 'Input-IDB' and 'Output-IDB' show ingress and egress interfaces.

Understanding the Output

The command output lists all active NAT translations in a table format. The 'Pro' column shows the protocol (TCP, UDP, or blank for ICMP). 'Inside global' is the translated IP address and port as seen on the outside network. 'Inside local' is the original private IP and port of the internal host. 'Outside local' and 'Outside global' are typically identical for outbound NAT, representing the destination IP and port. In more complex scenarios like destination NAT or hairpinning, these may differ. A healthy network will show translations for active sessions; missing entries indicate no translation is occurring. Excessive translations may indicate a DoS attack or misconfiguration. Stale entries (old 'create' time with recent 'use' time) are normal; entries with old 'use' time may be idle and will timeout. In verbose mode, additional details like timers, map IDs, and interfaces help pinpoint which NAT rule is being used and on which interfaces.

CCNA Exam Tips

1.

CCNA exam tip: Remember that 'show ip nat translations' shows only dynamic translations; static NAT entries appear only when traffic flows.

2.

CCNA exam tip: The 'Inside global' address is the one that appears in packet captures on the outside; the 'Inside local' is the real host IP.

3.

CCNA exam tip: If you see no translations but hosts can't reach the internet, check NAT configuration with 'show ip nat statistics'.

4.

CCNA exam tip: For PAT (overload), multiple inside locals share the same inside global IP but with different ports.

Common Mistakes

Mistake 1: Confusing 'Inside global' with 'Outside local' — remember 'Inside' refers to your network, 'Outside' to the remote.

Mistake 2: Forgetting that NAT translations are created only when traffic matches an ACL in the NAT configuration; no traffic = no output.

Mistake 3: Assuming the output shows all possible translations; entries timeout after idle period (default 24 hours for TCP, 1 minute for UDP).

Related Commands

clear ip nat translation *

Clears all dynamic NAT translations from the translation table, forcing the router to rebuild translations for new traffic.

show ip nat statistics

Displays statistics about NAT translations, including active translations, hit counts, and configuration parameters, used to verify NAT operation and troubleshoot translation issues.

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions