nat translation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

nat translation

L0 Member

How to check and verify NAT translation using CLI.

4 REPLIES 4

L6 Presenter

First find out relevant sessino:

   show session all filter source <source IP> destination <destination IP>

Now following command will give NAT details, carefully analyse the output

   show session id <ID-from above command>

L3 Networker

You can simulate a Packet with:

> test nat-policy-match .........

Regards

Marco

L7 Applicator

Hello Salahuddin,

With the help of >test NAT policy ...........  command, you will be able to verify configured NAT policy on the PAN firewall. But, if you have an existing session on the PAN firewall and you want to identify, packet is executing by  which NAT policy, then apply CLI command  >show session all filter source <source IP> destination <destination IP>. This command will give you an ID.

>show session ID XYZ  >>>>>>>>>>>> This command output will show in detail information i.e NAT-policy name, security policy name, PBF, Source interface, destination interface etc.

For an example:

admin@DADA> show session all filter source 192.168.2.29 destination 69.171.245.49

--------------------------------------------------------------------------------

ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                          Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

1690         facebook-base  ACTIVE  FLOW  NS   192.168.2.29[49365]/Trust-LAN/6  (192.168.1.75[19914])

vsys1                                          69.171.245.49[443]/Untrust-ISP  (69.171.245.49[443])

admin@DADA> show session id 1690

        c2s flow: -------------------------> Client to Server flow

                source:      192.168.2.29 [Trust-LAN] --------> SourceIP/ security Zone

                dst:         69.171.245.49 ---------------> Destination IP

                proto:       6

                sport:       49365           dport:      443 ----------------> Port

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

        s2c flow: ------------------> Server to client flow.

                source:      69.171.245.49 [Untrust-ISP]

                dst:         192.168.1.75

                proto:       6

                sport:       443             dport:      19914

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

        start time                    : Thu Jul  3 02:21:24 2014

        timeout                       : 3600 sec

        time to live                  : 3161 sec

        total byte count(c2s)         : 9640

        total byte count(s2c)         : 11932

        layer7 packet count(c2s)      : 94

        layer7 packet count(s2c)      : 93

        vsys                          : vsys1

        application                   : facebook-base

        rule                          : LAN-ISP --------------------> Security rule

        session to be logged at end   : True

        session in session ager       : True

        session synced from HA peer   : False

        address/port translation      : source + destination

        nat-rule                      : Source-NAT(vsys1)  ------------------> NAT rule name

        layer7 processing             : completed

        URL filtering enabled         : True

        URL category                  : social-networking

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/2 ----------> Incoming interface

        egress interface              : ethernet1/1 ----------> Outgoing interface

        session QoS rule              : N/A (class 4)

        tracker stage l7proc          : ctd decoder bypass

Hope this helps.

Thanks

L7 Applicator

You may also find this main documentation on nat operations helpful.

Understanding PAN-OS NAT

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 2671 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!