NAT translation logging

The ip nat log translations syslog command starts NAT logging: every NAT translation created on the router is logged in syslog (which can be sent to console, syslog host or internal buffer). You could use this command as a poor man’s reporting tool if you have to monitor the address translations on your edge routers (for example, due to security policy or auditing requirements). Obviously you should configure the no logging console first in a production environment; otherwise your router will hang a few moments after you’ve enabled NAT logging.

The logging printouts include:

  • layer-4 protocol;
  • inside local and global addresses and port numbers;
  • outside local and global addresses and port numbers.

For example, the following messages were logged when an inside host 10.0.0.1 tried to access web server at the IP address 192.168.0.1. The inside source address 10.0.0.1 was translated through a NAT pool (configured with ip nat inside source list ACL pool POOL command) into 10.17.3.32 and the inside destination address 192.168.0.1 was translated into outside destination address 10.17.3.2 (configured with ip nat outside source static command).

12:17:12.503: %IPNAT-6-NAT_CREATED: Created tcp 10.0.0.1:43800 10.17.3.32:1024 192.168.0.1:80 10.17.3.2:80
12:18:47.751: %IPNAT-6-NAT_DELETED: Deleted tcp 10.0.0.1:43800 10.17.3.32:1024 192.168.0.1:80 10.17.3.2:80

Does it sound weird to specify the destination address translation with the ip nat outside source configuration command? It does to me …

7 comments:

  1. This post comes at the perfect moment for me... currently working some NAT issues and it's very helpful. Thanks!

    I couldn't agree more with you regarding the config of destination address translation using the "ip nat outside source" command. Far from intuitive!

    I'm currently testing whether such syntax will work for sessions being initiated from the *inside*. I have a situation where this is not working, although it is under some very particular circumstances.
  2. Not to raise a dead topic, but I'm doing a bit of research and we're trying to use "ip nat log translation flow-export" on an ASR1004. Unfortunately, it looks like the netflow only contains inside-local and outside-global ... missing the inside-global value(s) that might be necessary to track down the NAT source of an abuse complaint (like Wikipedia vandalism, for one). Anyone know if this is simply my configuration (and I can log that inside-global value in the netflow record) or if this is another IOS-XE wackiness??
  3. We are logging nat with the ip nat translations command for vrf, and we noticed that 8% of the logging messages are DNS. Is there a way for us to filter DNS from being logged via the nat translations?
  4. CORRECTION:
    I meant to say the 80^ of the logging messages are DNS not 8%....thank...

    We are logging nat with the ip nat translations command for vrf, and we noticed that 8% of the logging messages are DNS. Is there a way for us to filter DNS from being logged via the nat translations
  5. You can write syslog filters in Tcl - read the Embedded Syslog Manager (ESM) documentation.
  6. i want to know whether cisco asa 5520 support this command "ip nat log translations syslog"?if yes,how to config it?
  7. Quite an old post, anyway...

    ...it seems that translations logging is totally broken when using NVI-based NAT.

    In the logged entry, only the "protocol" field (tcp, udp, etc.) is correctly assigned: all the address:port fields are logged as 0.0.0.0:0 -- Tested on IOS 15.1(4)M12a.

    Can someone confirm this? Any known workaround?
Add comment
Sidebar