NATCCNA 200-301

Using debug ip nat to Trace Why Traffic Is Not Being Translated

Presenting Symptom

Internal hosts can access the internet but external hosts cannot initiate connections to internal servers, and 'show ip nat translations' shows no entries for the expected traffic.

Network Context

A small branch office with a Cisco 4321 router running IOS XE 16.9. The router connects the internal LAN (192.168.1.0/24) to the ISP via a single public IP (203.0.113.1/30). NAT is configured for inside global address overload (PAT) for outbound traffic, and static NAT is configured to map the internal web server (192.168.1.10) to the public IP. The problem occurs when external users try to reach the web server.

Diagnostic Steps

Verify NAT configuration

show running-config | include ip nat

ip nat inside source list 100 interface GigabitEthernet0/0/0 overload
ip nat inside source static tcp 192.168.1.10 80 interface GigabitEthernet0/0/0 80

Check that both dynamic PAT and static NAT are configured. Look for missing or incorrect ACL, interface, or protocol/port.

Check NAT translations

show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                ---                ---

If no translations appear for the static NAT, the static entry may not be triggered. For PAT, translations appear only when inside hosts initiate traffic. For static NAT, the entry should always appear (even if idle). If missing, the static NAT is not configured correctly.

Enable debug ip nat to trace translation attempts

debug ip nat detailed

NAT: i = [192.168.1.10:80] -> [203.0.113.1:80] (static)
NAT: s = [203.0.113.2:12345] -> [192.168.1.10:80] (static)

Look for 'NAT: i' (inside to outside) and 'NAT: s' (outside to inside) messages. If you see 'NAT: i' but no 'NAT: s', the return traffic is not being translated. If you see no debug output at all, the traffic is not reaching the router or NAT is not enabled on the correct interfaces.

Verify NAT interfaces

show ip nat statistics

Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces: GigabitEthernet0/0/0
Inside interfaces: GigabitEthernet0/0/1
Hits: 0  Misses: 0

Check that the inside and outside interfaces are correctly assigned. If the inside interface is missing, NAT will not process traffic from that interface. Also check 'Hits' and 'Misses' – if hits are 0, no traffic is being NATed.

Root Cause

The 'ip nat inside' command is missing on the inside interface (GigabitEthernet0/0/1). Without this, the router does not consider traffic from the LAN as 'inside' traffic for NAT, so static NAT entries are never triggered and dynamic PAT does not translate outbound traffic.

Resolution

On the router, enter interface configuration mode for the inside interface and apply the 'ip nat inside' command: interface GigabitEthernet0/0/1 ip nat inside end write memory

Verification

After applying the fix, verify with: show ip nat translations Expected output should show the static NAT entry: Pro Inside global Inside local Outside local Outside global tcp 203.0.113.1:80 192.168.1.10:80 --- --- Also test connectivity from an external host to the public IP on port 80 – it should succeed.

Prevention

1. Always configure 'ip nat inside' and 'ip nat outside' on the correct interfaces as part of the initial NAT setup. 2. Use 'show ip nat statistics' after configuration to verify interface assignments. 3. Implement a configuration template or script to ensure no step is missed.

CCNA Exam Relevance

On the CCNA 200-301 exam, NAT troubleshooting scenarios often appear as multiple-choice questions or drag-and-drop where you must identify missing interface commands. The exam tests your ability to interpret 'show ip nat translations' and 'debug ip nat' output to pinpoint misconfigurations like missing 'ip nat inside' or incorrect ACLs.

Exam Tips

Memorize that 'ip nat inside' and 'ip nat outside' must be configured on the respective interfaces – this is a common oversight.

Remember that static NAT entries always appear in 'show ip nat translations' even if no traffic is flowing; if missing, the static NAT configuration is incomplete.

Know that 'debug ip nat detailed' shows translation attempts; if no output appears, the traffic is not reaching the router or NAT is not enabled on the interface.

Commands Used in This Scenario

debug ip nat detailed

Use this command to enable detailed debugging of NAT translations, showing packet-by-packet translation details including inside/outside addresses and port numbers, typically for troubleshooting NAT issues.

show ip nat statistics

Displays statistics about NAT translations, including active translations, hit counts, and configuration parameters, used to verify NAT operation and troubleshoot translation issues.

show ip nat translations

Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions