NAT policies are configured in a trusted zone. A firewall "out" policy will be a "forward" NAT
policy. A firewall "in" policy will be a reverse NAT policy.
A NAT failover feature is also available in the Secure Router. If you have named an interface
to NAT out on and that interface goes down, then a named backup interface may take over
the NATting function. Both the NATting interface and the backup NATting interface must be in
the untrusted, "internet" zone.
Getting started
First get your general firewall orientation:
show ip interfaces brief show firewall interfaces all show firewall
nat-failover show firewall policy <zoneName> [detail]
From these three commands, if you have the goals and map in hand, you may compare the
current configured policy to the goals and map.
In the show firewall policy <zoneName> version (without detail), the "N" flag will be
printed in the "Advanced" column for policies which have a NATing action.
Getting details
After comparing the configured policy to the goals and map, you will move into seeing the
events
with debug and show commands. NAT is part of the firewall, so the commands to reveal
the NAT events are the same as the commands to reveal the firewall events.
debug firewall all debug firewall packet
Isolating faults
•
Can the Secure Router itself reach the target?
- Send a ping from the Secure Router CLI. Pings which leave the untrusted interface will
use the public source address and will not be NATted. The Secure Router does not
allow pings to be sent from a private, self address through the NAT translation. Those
packets will be sent out of the firewall without NAT translation and will not be routed
back.
• Is the firewall at fault?
- This is more difficult to isolate than in the plain firewall case because the Internet will
not know the routes back to your private NAT address range. There is no ability to simply
remove the firewall configuration and see if plain routing works because we know that
Troubleshooting NAT
Troubleshooting August 2013 203
To Next Page
Loading...
