There are two reasons to use Network Address Translation (NAT); to improve security and maximize address space.
Not to mention that it is quite common to see NAT deployed in many of today's networks.
But sometimes NAT fails— and getting to the root of the problem can be quite tricky.
There could be some overlapping NAT policies, failed firewall translations, IP address issues that could be hard to troubleshoot, or a miriad of other issues.
It can be hard to find the root of the problem without logging in to one of these NAT devices, like a firewall or router.
And once inside, you will most likely have to sort through a long list of sessions— which only makes things more time-consuming.
In this post, we'll go through seven popular NAT lookup tools.
A NAT lookup tool helps admins troubleshoot and keep NAT's records (sometimes without connecting to the device) by filtering, sorting, and providing other ways to simplify the output.
What does a NAT lookup Tool Do?
Traditional NAT requires a router (or firewall) with an interface pointing inbound to an internal network and another interface outbound to an external network (or Internet).
NAT also requires a set of rules that state how the address is to be translated.
- Inside Interface
An inside interface configured with a “private” IP address.
- Outside Interface
An interface pointing to an external network, like the Internet. The IP address is usually a public IP followed with a port number.
- The NAT policy, rule, or ACL
This policy specifies the list of inside source addresses that will be translated to which outside address. These rules include a pool of global IPs.
When a user or service requests a new external IP (or public), the router or firewall facing the Internet creates a new NAT session.
These NAT sessions remain open so that the internal end-user can use the public-facing IP as long as necessary (or configured).
The NAT Lookup Tool
The NAT Lookup tool looks into the current translations and rules stored in NAT tables from routers/or firewalls.
They display as much information regarding NATed connections and policies and help sort or filter the results— this helps admins save time and effort significantly.
Retrieving NAT policies established to specific IPs, getting to know their type of NAT mapping (static, dynamic, overload, PAT), see their status, and source/destination translation— all from a single platform can be a real time-saver.
Here's the 7 Best NAT Lookup Tools & Software:
1. SolarWinds NAT Lookup Tool
The Solarwinds NAT Lookup is a lightweight standalone tool designed for keeping track of NAT policies and translations in Palo Alto Firewalls.
The tool provides a list of NAT policies and their respective firewalls for any queried IP address.
The tool is very scalable— it can help admins render comprehensive NAT policy lists.
These lists will help troubleshoot IP address issues, overlapped NAT policies or rules, overall firewall translation issues, and networks regardless of size.
- Search for NAT policies in one or multiple firewalls simultaneously.
- The search results display the NAT policies and the translation for each IP address.
- Only works for Palo Alto Firewalls.
- The results can be exported as a CSV file.
- The tool can also provide access to the IP translation in live session traffic.
SolarWinds NAT Lookup was created to reduce the time and effort required for network admins in large networks to look for NAT translations.
An advantage of this is that it removes the need for admins to access firewalls.
This also helps security admins to grant different levels of access in sensitive firewalls.
- Built with sysadmins in mind
- Easy to use lightweight tool
- Can search for policies across multiple firewalls
- Can analyze IP translation in a live setting
- Completely free
- Designed specifically for system administrators
Click here to SolarWinds NAT Lookup Tool to download it for free.
The “netstat-nat” is a Linux utility that displays all NATed connections, managed by iptables or netfilters.
For example, a server configured as a router or firewall running Linux iptables may use the netstat-nat utility to show all its NATted or router connections.
The lightweight utility reads information from the temporary conntrack-storage of Netfilter (‘/proc/net/ip_conntrack' or ‘/proc/net/nf_conntrack').
To make the utility work, make sure Netfilter is enabled in the Kernel.
What can you do with netstat-nat?
- You can display only SNAT, DNAT, or both connections.
- Display all NAT connections.
- Filter according to protocol number.
- Filter by source IP.
- Display connections from a specific destination IP/hostname.
- Sort NAT connections.
- And more…
The utility is supported by the popular Linux distros, including Debian, Ubuntu, Suse, Redhat.
- Can quickly show which connections are actively established on a machine
- Can find suspicious connections quickly if you know how to interpret netstat information
- Can filter by TCP connections to limit your scope on noisier networks
- Doesn’t provide geolocation mapping for connections found
- Requires training to understand how to properly use netstat in a meaningful way
Get more information from the netstat-nat project.
3. Cisco’s IOS “show ip nat translation”
The most efficient method to check the NAT table and its contents from Cisco devices is with the IOS CLI command “show ip nat translations.”
The command shows all currently active NAT translations on the router.
The output from this command allows you to see five different columns:
The protocol type. Whatever protocol is busting a NAT connection: ICMP, TCP, UDP, etc.
- Inside global:
This is the IP address of the “inside” local device as it is seen from outside (global).
- Inside local:
This is the inside device’s IP address as it is seen from the inside. In other words, the real private IP.
- Outside local:
Technically, this is an outside host as it appears from the inside network. According to Cisco, this is not a legitimate address, and it is used in unique scenarios.
- Outside global:
The IP address of the outside host as it appears in the outside world. The IP is allocated from a globally routable network space (public IP).
Another useful Cisco’s IOS command to find information about NAT rules and translations is “show IP nat statistics; this command shows IP translations based on interface, percentage of hits and misses, etc.
With the show IP translation, you can also see the ACL (NAT rule) applied to each specific IP pool.
- Completely free
- Easy to remember the syntaxs
- Built-in all Cisco devices
- Lacks a graphical interface
- Designed only for Cisco products
Where to find it?
Both commands “show IP nat translations” and “show IP nat statistics” are available in all Cisco devices with IOS.
4. FortiView for FortiGate Firewalls
FortiView is the primary logging tool for FortiGate firewalls. It shows real-time and historical logs from different dashboards (applications, Wifi, web sites, etc.).
You can browse and filter through logs if you are looking for specific results.
The FortiView lets you analyze the firewall sessions, which displays all current sessions since the application started.
The output likely shows a very long list, especially for large networks.
You can create filters to browse through those firewall and NAT sessions and reduce the output.
You can filter through the following logs:
- Source or destination address
- NAT address or port
- And more.
- Simple yet informative interface
- Can easily see and sort traffic and destination
- Can see historical logs
- Can slow down on very large networks
Where to find it?
FortiView is the FortiOS log tool for all FortiGate firewalls. It is, by default, enabled on all FortiGates running FortiOS version 5.2 or above.
5. “pfctl” for OpenBSD PF
The pfctl stands for packet filtering control. It is the utility that connects with the packet filter device, specifically for OpenBSD PFs.
The pfctl can set configuration and rules or retrieve status information from the packet filtering (or firewall) device.
It is very robust and provides a vast number of commands.
To display the current active NAT translations with the pfctl utility, append (-s state) option, following the command.
This array “pfctl -s state” will list all current NAT sessions.
The output will show you a list with multiple columns:
- The interface that the NAT session is bound to.
- The protocol used for the connection (TCP, UDP, ICMP, IGMP, etc.)
- Internal IP: The internal local IP address.
- The internal (Global): The IP address as seen from the outside.
- External IP: The address translated to an external IP and port (in case of PAT).
- State: The state that the connection is on right now.
- Extremly fast and lightweight utility
- Offers a robust variety of commands
- Best for those who enjoy CLI tools
- Specfic for only OpenBSD
- No GUI
Where to find it?
The pfctl is specific for OpenBSD systems.
6. pfSense WebGUI
The pfSense is one of the most popular free and open-source firewalls and routers.
It is a customized distribution of the FreeBSD OS, adapted to be used as one of those devices.
pfSense comes with an easy to use web user interface.
With pfSense’s WebGUI, you can see a list of all firewall and NAT states, it includes:
- The interface: Where the state is bound.
- The protocol: The type of protocol that initiated that state.
- The source and destination. The IP address before and after it is NATted. The arrow indicates the direction (inbound to outbound or vice versa).
- The state: The status of the state’s connection. These vary according to the protocol.
- Packets: number of packets that match the state, from source to destination.
- Bytes: The total size of packets, from source to destination.
When the session list is too big to find what you are looking for, you can apply state filters.
These filters help you search quickly regarding specific search criteria.
For example, you can search based on IP or the entire subnet.
- Easy to use and read at scale
- Open source transparent tool
- Can easily sort and filter by packets, destination, traffic, etc
- Is completely free
- Best used with pfSence products
For more information on viewing the Firewall states with the WebGUI, check pfSense official guide
Free with PfSense
7. Juniper’s J-Web
J-Web is the web user interface for Juniper’s SRX Series Services Gateways.
The tool allows you to monitor, configure, and troubleshoot the firewall via HTTPS. The J-Web GUI frees you from using the JunOS CLI.
The NAT sessions and rules section in the J-Web interface lets you configure NAT.
It also shows you all current NAT translations and their policies.
You can also create filters when browsing through information in real-time (or historical).
You can monitor:
- Source NAT: Display all configured information about source NAT rules, pools, persistent NAT, and its bound addresses.
- Destination NAT: Display the destination NAT table containing information about the NAT address pool.
- Static NAT: View all configured static NAT rules.
- Interface NAT ports. Display the port utilization for the specific source pool.
- Monitoring NAT Incoming Table Information. View NAT table information in real-time.
The NAT monitoring tool will give you a breadth of information regarding the NAT sessions, from the interface, rule (policy), destination/source address, protocol, alarms, hits, and much more.
- Offers better visualizations than most NAT lookup tools
- Can sort traffic quickly – even in a live setting
- Offers both a GUI and CLI version
- Specifically for Juniper devices
Where to find it?
J-Web comes free with the Juniper device.
A NAT Lookup tool is essential for troubleshooting NAT— which is critical for any modern network.
The tool helps network admins look at NAT policies and sessions quicker and faster.
Most of these tools are unique to a single vendor.
They are dependent on utilities or features to the firewall or router. They are not standalone software.
But one that stands out is the SolarWinds NAT Lookup Tool.
It is standalone software. One of the few allows users to connect to multiple firewalls simultaneously— plus it is 100% free.