Difficulty: Medium
Correct Answer: show ip nat statistics
Explanation:
Introduction / Context:
When NAT does not appear to be working, you need to quickly determine whether the NAT pool is configured correctly and whether inside hosts are actually using that pool. Cisco provides several show commands for NAT, each focusing on different aspects such as individual translations, overall statistics or pool utilisation. Choosing the right command can make troubleshooting much faster and more effective.
Given Data / Assumptions:
Concept / Approach:
Show ip nat translations lists current translation entries, but if no translations are happening yet, it may be empty and not directly explain why. Show ip nat statistics provides a summary that includes information about the configured pools, how many addresses are in each, how many have been allocated and whether overload is enabled. This command is ideal for confirming that inside globals are permitted to use the defined NAT pool and for checking overall NAT status.
Step-by-Step Solution:
Recognise that you need an overview that connects the NAT pool to its usage, not just individual translation entries.
The debug ip nat command can show real time activity but can be noisy and may not show anything if traffic is not yet flowing; it is better used after initial sanity checks.
Show access-list can confirm whether ACL 100 is matching packets, but it does not directly tell you whether the pool Corp is being utilised.
Show ip nat translation shows existing translations but not whether the pool is healthy if there are no active flows.
Show ip nat statistics displays pool Corp, the address range, the total and used addresses and information about overload, making it the best command to verify whether inside globals are configured to use the pool.
Verification / Alternative check:
When you run show ip nat statistics on a router with the given configuration, the output will list something like pool Corp, 198.18.41.129 198.18.41.134, netmask 255.255.255.248, and may show figures for addresses in use and out of use. It will also show the number of dynamic translations and whether there is an overload configuration. This summary confirms that the pool exists, that its size is correct and that the router will use it for translations matching ACL 100.
Why Other Options Are Wrong:
Option a, debug ip nat, is useful after you have verified basic configuration, but on its own it does not summarise pool definitions and can generate a lot of output that may be hard to interpret at first glance.
Common Pitfalls:
Option b, show access-list, can be very helpful to verify whether ACL 100 is matching traffic, but it does not display anything about the NAT pool or overload configuration.
Option c, show ip nat translation, is excellent for seeing specific inside local to inside global mappings but might be empty and therefore not informative until traffic flows correctly.
Option e, show running-config nat, is not a standard command; you would instead use show running-config and manually inspect the NAT section, which is slower than using purpose built show commands.
Common Pitfalls:
A common mistake is to jump straight into debug commands without first confirming that the basic NAT definitions and ACLs are correct. Show ip nat statistics offers a safe, low impact way to verify configuration and usage before resorting to more intrusive debugging. Combining this with show access-list and show ip nat translations forms a powerful troubleshooting trio.
Final Answer:
To verify that inside globals are allowed to use the NAT pool and to see pool usage, you should use show ip nat statistics.
Discussion & Comments