Well, Since ip nat is accomplished through the use of access lists, you can log the rule hits/misses or view the statics on the number of matches with the _show access-lists_. Logging can be used to analyze traffic going through your access lists (and thus, nat'ed) so that you can obtain more specific information. I wouldn't recommend logging all your filters, but picking one that you are curious about and logging that. I don't believe there is an IOS command to show the statistics of a particular rule beyond the amount of times it was matched. Since 11.3 logging can be used with standard access lists as well as extended access lists. Example: (1) addresses you: _access-list 1 permit 192.168.100.0 0.0.0.255 log_ want nat'ed (2) addresses to : _ip nat pool nsub100 1.1.1.2 1.1.1.254 prefix 24_ which you nat (3) linking the : _ip nat inside source list 1 pool nsub100_ two together (3) Translates packets from interfaces marked as inside (inside initiates the NAT translation) that match rule (1), their respective ip source address, to a random address (one that is available) in the range specified in (2) (3) Also works in the opposite direction. It translates packets from interfaces marked as outside, their respective ip destination address that fits in the range specified in (2), and that was setup as a translation as outlined above, until the NAT translation timeout timer expires. This part is first routed and then NATed. Which means, if the destination address isn't configured on an interface on the router, it will be looked up in the routing table and will bypass NAT entirely. If the destination address is configured on an interface it will then be passed to the NAT engine for processing. This "feature" could be exploited (i mean used) to offload NAT processing to multiple routers (by dividing (2) into subnets and using a routing process). In either case, coming in or going out, permitted or denied the results are logged (and sent to the console) >From EXEC mode: _show access-lists 1_ OUTPUT: access-list 1 permit 192.168.100.0 0.0.0.255 log (3 matches) This will show you the configured access rules for 1 and the number of times each rule was matched (rudimentary statistics) with logging information going to the console (more elaborate statistics). I hope I've answered your question, and perhaps enlightened you on the innerworkings of NAT a little bit more ;-) (Of course you will need the requisite IOS feature pack loaded for any of this to work) ciao Wayne A. Baety, A1C, USAF, MCSE Network Operations Support, Kadena AB [EMAIL PROTECTED] -----Original Message----- From: Adam Wang [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 21, 2001 7:20 AM To: [EMAIL PROTECTED] Subject: how to check statistics on a single nat entry Hi group How would I check statistics on a single nat entry show ip nat statistics will give me the whole picture, not individual entries. Thanks Adam Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=748&t=748 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
