ASA NAT translate_hits and untranslate_hits counters

In Cisco ASA devices, Network Address Translation (NAT) is a key feature used to translate IP addresses and ports between different networks. The translate_hits and untranslate_hits counters are metrics used to monitor the effectiveness and usage of NAT rules. Here’s a detailed explanation of these counters:

translate_hits

The translate_hits counter tracks the number of times a specific NAT rule has been used to translate a packet. Essentially, it counts how many packets have matched the NAT rule and had their source or destination IP address (and possibly ports) translated.

  • Source NAT (SNAT): When a packet originating from an internal (private) IP address is translated to an external (public) IP address before being sent out to the Internet or another network.
  • Destination NAT (DNAT): When a packet destined for an external (public) IP address is translated to an internal (private) IP address before being delivered to the target device within the local network.

For example, if an internal device with IP address 192.168.1.10 sends packets to the Internet, and these packets are translated to an external IP address 203.0.113.5, the translate_hits counter would increment each time a packet is translated from 192.168.1.10 to 203.0.113.5.

untranslate_hits

The untranslate_hits counter tracks the number of times a NAT rule has been used to reverse the translation of a packet. This typically occurs when the return traffic is being processed, and the ASA needs to reverse the NAT translation to deliver the packet to the correct internal device.

  • Source NAT (SNAT): When the response packets from the Internet or another network, originally destined to the external (public) IP address, are translated back to the internal (private) IP address.
  • Destination NAT (DNAT): When response packets from the internal network, originally translated to an internal (private) IP address, are translated back to the external (public) IP address.

Continuing the previous example, if a packet from the Internet destined for 203.0.113.5 reaches the ASA, the untranslate_hits counter would increment each time a packet is translated from 203.0.113.5 back to 192.168.1.10.

Practical Implications

These counters are useful for network administrators to:

  • Monitor NAT Rule Utilization: By observing the translate_hits and untranslate_hits counters, administrators can determine how frequently specific NAT rules are being used. This helps in understanding traffic patterns and the effectiveness of the NAT configuration.
  • Troubleshooting: High values in these counters indicate active and ongoing translation, which is expected behavior. If counters are not incrementing as expected, it might indicate issues with the NAT configuration or traffic routing.
  • Performance Monitoring: Keeping track of these counters can help in assessing the performance impact of NAT on the ASA. Excessive NAT translations can potentially lead to performance degradation, and these counters can act as indicators for such scenarios.

The translate_hits and untranslate_hits counters in an ASA NAT implementation provide insights into the activity and effectiveness of NAT rules by counting the number of packets that are translated and un-translated, respectively.

Links:

https://forum.networklessons.com/t/cisco-asa-static-nat-configuration/817/62?u=lagapidis