cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

L5 Sessionator

Hello Tician,

Here are some of the useful commands for NAT troubleshooting ( "nat-inside-2-outside" is the rule used for reference):

> show running nat-policy                    // Show currently deployed NAT policy

> show running nat-rule-cache               // Show all NAT rules of all versions in cache

> show running nat-rule-ippool rule nat-inside-2-outside       // NAT rule ippool usage

> debug dataplane nat sync-ippool rule nat-inside-2-outside          // To kill sessions pertaining to a particular NAT rule and re-sync the ippool

>> For a particular session, the NAT translation can be viewed as:

admin@88-PA-VM-300> show session all filter application ping

--------------------------------------------------------------------------------

ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                      Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

172307  ping           ACTIVE  FLOW  NS   192.168.88.206[512]/trust-L3/1  (10.66.24.88[512])

vsys1                                     4.2.2.2[6912]/untrust-L3  (4.2.2.2[6912])

admin@88-PA-VM-300> show session id 172307

Session          172307

        c2s flow:

                source:      192.168.88.206 [trust-L3]

                dst:         4.2.2.2

                proto:       1

                sport:       512             dport:      6912

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        s2c flow:

                source:      4.2.2.2 [untrust-L3]

                dst:         10.66.24.88

                proto:       1

                sport:       6912            dport:      512

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        start time                    : Mon Nov 25 08:50:18 2013

        timeout                       : 6 sec

        total byte count(c2s)         : 74

        total byte count(s2c)         : 74

        layer7 packet count(c2s)      : 1

        layer7 packet count(s2c)      : 1

        vsys                          : vsys1

        application                   : ping

        rule                          : trust-2-untrust

        session to be logged at end   : True

        session in session ager       : False

        session synced from HA peer   : False

       address/port translation      : source + destination

        nat-rule                      : nat-inside-2-outside(vsys1)

        layer7 processing             : enabled

        URL filtering enabled         : True

        URL category                  : any

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/4

        egress interface              : ethernet1/3

        session QoS rule              : N/A (class 4)

Probably you might have done this, but you can also bookmark this document for future reference:

Understanding PAN-OS NAT

Let me know if that is what you were looking for!

Thanks and regards,

Kunal  Adak

View solution in original post

Who rated this post