The ip nat log translations syslog command starts NAT logging: every NAT translation created on the router is logged in syslog (which can be sent to console, syslog host or internal buffer). You could use this command as a poor man’s reporting tool if you have to monitor the address translations on your edge routers (for example, due to security policy or auditing requirements). Obviously you should configure the no logging console first in a production environment; otherwise your router will hang a few moments after you’ve enabled NAT logging.
The logging printouts include:
- layer-4 protocol;
- inside local and global addresses and port numbers;
- outside local and global addresses and port numbers.
For example, the following messages were logged when an inside host 10.0.0.1 tried to access web server at the IP address 192.168.0.1. The inside source address 10.0.0.1 was translated through a NAT pool (configured with ip nat inside source list ACL pool POOL command) into 10.17.3.32 and the inside destination address 192.168.0.1 was translated into outside destination address 10.17.3.2 (configured with ip nat outside source static command).
12:17:12.503: %IPNAT-6-NAT_CREATED: Created tcp 10.0.0.1:43800 10.17.3.32:1024 192.168.0.1:80 10.17.3.2:80
12:18:47.751: %IPNAT-6-NAT_DELETED: Deleted tcp 10.0.0.1:43800 10.17.3.32:1024 192.168.0.1:80 10.17.3.2:80
Does it sound weird to specify the destination address translation with the ip nat outside source configuration command? It does to me …