that the packet has not been interfered with during transit. Not all encryption protocols have problems with NAT. Generally speaking, encryption services operating at the application layer such as Pretty Good Privacy (PGP) and Gnu Privacy Guard (GPG) are not impacted by NAT routers. Encryption and tunneling protocols at OSI model layers 2 to 4 however, will not usually operate through a NAT router. Encryption and tunneling protocols often require that traffic be sourced from a specific UDP or TCP port, or use a protocol at the transport layer that cannot be processed by NAT. Some examples of this are: If encryption or tunneling protocols must be run through a NAT router, the network administrator can create a static NAT entry for the required port for a single IP address on the inside of the NAT router. Common NAT misconfigurations
One of the more common misconfigurations of NAT is forgetting that it affects both inbound and outbound traffic. An inexperienced network administrator might pre-configure a static NAT entry to redirect inbound traffic to a specific inside ‘backup’ host. In the event of a failure on the primary system, traffic could be automatically re-directed to the backup system without the administrator having to do anything. This static NAT statement will also change the source address of traffic from that host, possibly resulting in an undesirable (and unexpected) set of behaviors. At best, this is likely to result in sub-optimal operation. Misconfigured timers can also result in unexpected network behavior and suboptimal operation of dynamic NAT. If NAT timers are too short, entries in the NAT table may expire before replies are received and packets will be discarded. This means the intended traffic did not get through and the loss of the packets generates retransmissions, consuming more bandwidth. The NAT router log will also be filled with errors about closed ports. If timers are too long, entries may stay in the NAT table longer than necessary, consuming the available connection pool. In particularly busy networks, this may lead to memory problems on the router and hosts may be unable to establish connections if the dynamic NAT table is full. Web Links Protocol Numbers http://www.iana.org/assignments/protocol-nu mbers
Content 6.2 Troubleshooting Transport Layer Issues on the Router 6.2.5 Gathering information on NAT configuration and operation show commands
There are two commands in the show ip nat group of commands. The show ip nat statistics command is used to display statistics on static and dynamic translations on the router, as shown in Figure . The show ip nat translations command displays the NAT table currently in operation on the router, listing both static and dynamic NAT entries. The show ip nat translations command also has the optional keywords icmp, pptp, tcp and udp, which allow the network engineer to limit the type of entries displayed. The network administrator can also use the verbose keyword to display additional information about the entries in the table. debug commands
There is a range of debug commands available for reporting on NAT traffic. A commonly used command is debug ip nat. This command can also have the information displayed limited to events for specific protocols and processes using the keywords h323, port, pptp, route, skinny, and detailed. Note that the debug command can also use a standard access list to limit the information being displayed by the debug process to traffic matching the permit statements in the ACL. clear commands
When debugging NAT problems, it can be useful to reset NAT statistics or to clear the NAT table of any dynamic entries. Use the command clear ip nat statistics to reset the NAT traffic statistics counters. Use the command clear ip nat translations * to clear dynamic entries from the NAT table. Other keywords can be used when clearing the NAT table. The forced keyword clears all IP NAT translations even if they are currently in use. The inside keyword removes all inside addresses and ports from the table, while the outside keyword removes all outside addresses and ports. Using the tcp keyword only removes TCP-related entries. Using the udp keyword only removes UDP-related NAT entries.
Content 6.2 Troubleshooting Transport Layer Issues on the Router 6.2.6 Other useful information There are a range of other tools that can be used to help troubleshoot transport layer problems on network devices. These include: Protocol analyzers
Protocol analyzers can be used to collect information on network operations from the data-link layer to the application layer. A good protocol analyzer is able to provide a network engineer with a source of information on network transactions at the transport layer. Protocol analyzers have been discussed in Module 2. Local system logging
Configuring buffered local system logging can also provide a rich source of information when troubleshooting network problems. A local system log can also provide historical information on past events. Logging on local systems is highly configurable and can be used to capture general router events as well as other information of interest, such as debug messages. The system log buffer uses volatile memory and is cleared by rebooting the router. Because of this, it is recommended that system log events be redirected to an external system (discussed later in this section). To configure a router to keep its local log, use the following commands from global configuration mode: Router(config)#logging on
Router(config)#logging buffered [buffer size] [logging level] The first step is to ensure system logging is enabled (note that local system logging is on by default). When configuring the logging buffer, set the size of the log buffer and the level of message to log. There are seven levels of logging, from 0 for emergency messages (indicating that the router is unusable), to 7 for debugging messages generated by engineer-configured debug commands. These levels are summarized in Figure . The show logging command can be used to display the state of Syslog error and event logging, including host addresses, and whether console logging is enabled. This command also displays SNMP configuration parameters and protocol activity. Cisco routers support the Syslog protocol for delivering system log messages to a centralized system. The Syslog protocol uses UDP port 514 making it a lightweight, fast, but unreliable delivery mechanism. Syslog servers are machines that can listen on UDP port 514, and collate information from a number of sources (network devices) simultaneously. This information is stored in a central location, such as a database, from where it can be