07-03-2014 04:02 AM
First find out relevant sessino:
show session all filter source <source IP> destination <destination IP>
Now following command will give NAT details, carefully analyse the output
show session id <ID-from above command>
07-03-2014 05:45 AM
You can simulate a Packet with:
> test nat-policy-match .........
Regards
Marco
07-03-2014 06:54 AM
Hello Salahuddin,
With the help of >test NAT policy ........... command, you will be able to verify configured NAT policy on the PAN firewall. But, if you have an existing session on the PAN firewall and you want to identify, packet is executing by which NAT policy, then apply CLI command >show session all filter source <source IP> destination <destination IP>. This command will give you an ID.
>show session ID XYZ >>>>>>>>>>>> This command output will show in detail information i.e NAT-policy name, security policy name, PBF, Source interface, destination interface etc.
For an example:
admin@DADA> show session all filter source 192.168.2.29 destination 69.171.245.49
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
1690 facebook-base ACTIVE FLOW NS 192.168.2.29[49365]/Trust-LAN/6 (192.168.1.75[19914])
vsys1 69.171.245.49[443]/Untrust-ISP (69.171.245.49[443])
admin@DADA> show session id 1690
c2s flow: -------------------------> Client to Server flow
source: 192.168.2.29 [Trust-LAN] --------> SourceIP/ security Zone
dst: 69.171.245.49 ---------------> Destination IP
proto: 6
sport: 49365 dport: 443 ----------------> Port
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow: ------------------> Server to client flow.
source: 69.171.245.49 [Untrust-ISP]
dst: 192.168.1.75
proto: 6
sport: 443 dport: 19914
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Thu Jul 3 02:21:24 2014
timeout : 3600 sec
time to live : 3161 sec
total byte count(c2s) : 9640
total byte count(s2c) : 11932
layer7 packet count(c2s) : 94
layer7 packet count(s2c) : 93
vsys : vsys1
application : facebook-base
rule : LAN-ISP --------------------> Security rule
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source + destination
nat-rule : Source-NAT(vsys1) ------------------> NAT rule name
layer7 processing : completed
URL filtering enabled : True
URL category : social-networking
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/2 ----------> Incoming interface
egress interface : ethernet1/1 ----------> Outgoing interface
session QoS rule : N/A (class 4)
tracker stage l7proc : ctd decoder bypass
Hope this helps.
Thanks
07-04-2014 03:56 AM
You may also find this main documentation on nat operations helpful.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
