
In Cisco [ASA](/asa) devices, [Network Address Translation (NAT)](/network-address-translation-nat) is a key feature used to translate [IP](/ipv4) addresses and [ports](/transport-layer-port-number) between different networks. The `translate_hits` and `untranslate_hits` counters are metrics used to monitor the effectiveness and usage of NAT rules. Here’s a detailed explanation of these counters:

## `translate_hits`

The `translate_hits` counter tracks the number of times a specific NAT rule has been used to translate a packet. Essentially, it counts how many packets have matched the NAT rule and had their source or destination IP address (and possibly ports) translated.

- **Source NAT (SNAT)**: When a packet originating from an internal ([private](/ipv4-private-ip-address-ranges)) IP address is translated to an external (public) IP address before being sent out to the Internet or another network.
- **Destination NAT (DNAT)**: When a packet destined for an external (public) IP address is translated to an internal (private) IP address before being delivered to the target device within the local network.

For example, if an internal device with IP address 192.168.1.10 sends packets to the Internet, and these packets are translated to an external IP address 203.0.113.5, the `translate_hits` counter would increment each time a packet is translated from 192.168.1.10 to 203.0.113.5.

## `untranslate_hits`

The `untranslate_hits` counter tracks the number of times a NAT rule has been used to reverse the translation of a packet. This typically occurs when the return traffic is being processed, and the ASA needs to reverse the NAT translation to deliver the packet to the correct internal device.

- **Source NAT (SNAT)**: When the response packets from the Internet or another network, originally destined to the external (public) IP address, are translated back to the internal (private) IP address.
- **Destination NAT (DNAT)**: When response packets from the internal network, originally translated to an internal (private) IP address, are translated back to the external (public) IP address.

Continuing the previous example, if a packet from the Internet destined for 203.0.113.5 reaches the ASA, the `untranslate_hits` counter would increment each time a packet is translated from 203.0.113.5 back to 192.168.1.10.

## Practical Implications

These counters are useful for network administrators to:

- **Monitor NAT Rule Utilization**: By observing the `translate_hits` and `untranslate_hits` counters, administrators can determine how frequently specific NAT rules are being used. This helps in understanding traffic patterns and the effectiveness of the NAT configuration.
- **Troubleshooting**: High values in these counters indicate active and ongoing translation, which is expected behavior. If counters are not incrementing as expected, it might indicate issues with the NAT configuration or traffic routing.
- **Performance Monitoring**: Keeping track of these counters can help in assessing the performance impact of NAT on the ASA. Excessive NAT translations can potentially lead to performance degradation, and these counters can act as indicators for such scenarios.

The `translate_hits` and `untranslate_hits` counters in an ASA NAT implementation provide insights into the activity and effectiveness of NAT rules by counting the number of packets that are translated and un-translated, respectively.

ASA NAT translate_hits and untranslate_hits counters

AAA - configuring a fallback method

AAA - radius-server host command deprecated

AAA 802.1X Multi-Auth Mode for Multiple Devices on a Single Port

AAA RADIUS UDP Port Number

AAA RADIUS vs TACACS+

AAA start-stop and stop-only

ACL - Applying in a VRF environment

ACL - Sequence Numbers

ACL Editor on Cisco IOS

ACL IPv6 implicit statements

ACL Logging

ACL log update threshold on Cisco IOS

ACL logging matched packets

ACL resequence command on Cisco NX-OS

ACL wildcard mask

ACLs Filtering Locally Generated Traffic

ARP Message Header and Payload

ARP table default timeout

ARP table

ARP to Determine Next Hop IP Address

ASA - ASDM Cipher security levels

ASA - ASDM

ASA - AnyConnect Management VPN Tunnel

ASA - Clientless VPN

ASA - Crypto key size for Version 9.16

ASA - IKE proposal parameters

ASA - Optimizing High Availability

ASA - Understanding NAT behavior with DMZ Subnet

ASA - Using FQDN in an ACL for VPN split tunnelling

ASA - VTI VPN and MSS

ASA - crypto hardware processing

ASA - emulating an ASA device

ASA - multiple AnyConnect packages

ASA - multiple VPNs between the same endpoints

ASA - number of crypto maps per interface

ASA - object group protocol vs service

ASA - same-security-traffic command

ASA - split-tunnel-policy command

ASA - using FQDN in an ACL

ASA CTM ipsec poll ctl DU_IOCTL_RESUME_POLL ioctl failed error

ASA Contexts operate as separate virtual devices

ASA DDoS protection

ASA DMZ

ASA ECMP static routing

ASA Manual NAT and Auto NAT

ASA NAT control

ASA NAT port forwarding multiple ports to same IP

ASA NAT with DHCP assigned IP address on outside interface

ASA NAT with multiple inside subnets

ASA Site-to-Site IKEv1 IPSec VPN recv errors

ASA Static one to one NAT on a range of addresses

ASA Troubleshoot HTTP and ASDM access

ASA VPN with overlapping IP address spaces

ASA active-standby failover preemption

ASA and Firepower reimaging

ASA crypto map and tunnel group preshared keys

ASA group policies

ASA implicit rule

ASA limit CLI and ASDM access to specific users

ASA packet processing algorithm

ASA prerequisites for high availability

ASA redirect IP SLA messages to log buffer

ASA redundant interface

ASA security levels

ASA syslog logging in multiple context mode

ASA to Firepower migration

ASA troubleshooting IPSec

ASA tunnel-group

ASA understanding version numbers

ASA what triggers an active-standby failover

ASA won't respond to pings from different subnet

ASBR Behavior with External Type 2 OSPF Routes

Access-List (ACL) Operators

Access-List (ACL)

Anycast Host Addressing

Anycast

Audio and Video over IP Networks

Automation - Ansible connection plugins

BFD - Control Plane Independent (CPI) bit

BFD - intervals and timers

BFD - slow-timers

BFD - with multiple routing protocols

BFD echo mode and operation details

BFD how an administrative change differs from a failure

BFD one-arm echo

BGP - AFI and SAFI

BGP - AS_Path filtering use cases

BGP - Accumulated IGP metric

BGP - Atomic Aggregate Attribute

BGP - Autonomous System (AS)

BGP - Autonomous System Number

BGP - BGP Algorithm within confederations

BGP - Discontiguous Autonomous Systems

BGP - ECMP for specific prefixes

BGP - End-of-RIB marker

BGP - FSM - Active state