11-29-2008 08:16 AM - edited 03-06-2019 02:43 AM
hi,
On a 'show nat' display, what does the untranslate_hits mean as opposed to translate_hits.
thanks.
Solved! Go to Solution.
11-29-2008 08:27 AM
translate_hits = counter for real to mapped IP addresses
untranslate_hits = counter for mapped to real IP addresses
In other words NAT is a 2 way process.
real IP = 192.168.5.10
Natted IP = 195.177.12.1
translate hit is when 192.168.5.10 is changed to 195.177.12.1
untranslate hit is when 195.177.12.1 is changed back to 192.168.5.10
Jon
11-29-2008 09:58 AM
Actually yes it is possible and i may have been a little imprecise in my previous answer. From the Cisco command reference for ASA
counters-translate_hits provide counters for real to mapped address conversion and untranslate_hits provide counters for mapped to real address conversion
So even though NAT is a 2 way process i'm not sure what you are seeing with the counters is the 2 way conversion. An example might help
static (inside,outside) 195.177.12.1 192.168.5.1 netmask 255.255.255.255
If the connection is initiated from the inside host 192.168.5.1 i believe you will see this as a translate_hit because it is a real to mapped IP address translation.
If the connection is initiated from the outside to the 195.177.12.1 address i believe you will see this as an untranslate_hit because this is a mapped IP to real translation.
So i don't believe that for a connection you will get both a translate_hit and an untranslate_hit, rather i think it registers as either one or the other depending on which side the connection was initiated from.
Unfortunately i don't have an ASA to test this with but it would account for the uneven counters in your output.
Jon
11-29-2008 08:27 AM
translate_hits = counter for real to mapped IP addresses
untranslate_hits = counter for mapped to real IP addresses
In other words NAT is a 2 way process.
real IP = 192.168.5.10
Natted IP = 195.177.12.1
translate hit is when 192.168.5.10 is changed to 195.177.12.1
untranslate hit is when 195.177.12.1 is changed back to 192.168.5.10
Jon
11-29-2008 09:32 AM
In my scenario, I have noticed that the translate hits are zero and untranslate_hits is non-zero. Is this possible. I am hitting the real IP from internet.
11-29-2008 09:58 AM
Actually yes it is possible and i may have been a little imprecise in my previous answer. From the Cisco command reference for ASA
counters-translate_hits provide counters for real to mapped address conversion and untranslate_hits provide counters for mapped to real address conversion
So even though NAT is a 2 way process i'm not sure what you are seeing with the counters is the 2 way conversion. An example might help
static (inside,outside) 195.177.12.1 192.168.5.1 netmask 255.255.255.255
If the connection is initiated from the inside host 192.168.5.1 i believe you will see this as a translate_hit because it is a real to mapped IP address translation.
If the connection is initiated from the outside to the 195.177.12.1 address i believe you will see this as an untranslate_hit because this is a mapped IP to real translation.
So i don't believe that for a connection you will get both a translate_hit and an untranslate_hit, rather i think it registers as either one or the other depending on which side the connection was initiated from.
Unfortunately i don't have an ASA to test this with but it would account for the uneven counters in your output.
Jon
11-29-2008 10:35 AM
Yup that answers my query.
08-17-2022 08:09 AM
So complex be exact without more information, I just can image an scenario where the real ip needs to go out as anothe "mapped" but no be contact from "outside traffic".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide