Monitoring Address Translations

Cisco ASA provides a rich set of show commands to monitor and troubleshoot issues related to address translation. The most important monitoring command is show xlate, which displays the real (local) address and the mapped (global) IP address assigned to a host. In Example 5-46, the security appliance is translating an inside host located at 192.168.10.10 to 209.165.200.225 using PAT. Cisco ASA masks the source port number from 11085 (local) to 1024 (global) before forwarding the packet to the egress interface. The security appliance also shows the maximum number of simultaneous translations (10) it has performed since the last reboot and the current active translations (1).

Example 5-46. Output of show xlate

Chicago(config)# show xlate

1 in use, 10 most used

PAT Global 209.165.200.225(1024) Local 192.168.10.10(11085)

Tip

You can add the debug option at the end of show xlate to display the interfaces that the translations are bound to.

The show local-host command can display the connection and translation statistics using a single command, as shown in Example 5-47. It displays the network states of each host on the local network. The TCP and UDP flow counts exhibit the session going through the security appliance from that particular host.

Example 5-47. Output of show local-host

Chicago# show local-host

Interface inside: 1 active, 1 maximum active, 0 denied

local host: <192.168.10.10>,

    TCP flow count/limit = 1/unlimited

    TCP embryonic count to (from) host = 0 (0)

    TCP intercept watermark = unlimited

    UDP flow count/limit = 0/unlimited



 Xlate:

   PAT Global 209.165.200.225(1024) Local 192.168.10.10(11085)



 Conn:

  TCP out 209.165.200.240:23 in 192.168.10.10:11085 idle 0:00:13 bytes 87 flags UIO

Note

The show local-host all command can be used to see both the connections made to and from the security appliance and the connections made through the security appliance.

< Day Day Up >