Is there a way to test a 1:1 NAT rule on NetVanta 3458? The problem I'm having is I have this 3458 set up on the edge of two networks. The eth 0/1 WAN port is connected to a 3rd party's network and I do not have the ability to test incoming connections without their help. I have set up a 1:1 NAT that translates an assigned IP within a block they gave us to an internal IP in my network. They are able to ping this IP, but I can nearly guarantee it's the 3458 responding and not the device in my network. How can I test this rule so that I know it's working right?
Thanks,
Kurt
Kurt,
Probably the best way to see what an AOS device is doing with traffic as it goes through the firewall is to look at the active policy-sessions on the device. You can view these sessions in the CLI and the Web GUI.
In the CLI, simply issue the command "show ip policy-session". This will display a table of traffic hitting the router and what IP address (if any) it is being NATted to. The table is organized by policy-class / security zone and displays source/destination/NAT IP as well as source/destination/NAT ports. So, in your case, you could have the 3rd party start a running ping to the public IP address that you have configured to be translated to an internal IP. Once that running ping is going, you would issue the "show ip policy-session" command and look for the policy-class/security zone assigned to your WAN interface. Under that section, you should be able to see the ICMP traffic sourced from whatever IP address the 3rd party is pinging you from and destined for the external IP address. Further to the right, you will see what IP address the traffic is being NATted to if any.
This information can also be viewed in the GUI, by navigating to Data -> Firewall -> Security Zones on the left panel. Once on the 'Security Zones' page, the bottom table will show the number of active sessions for each Security Zone. Simply click on the number under the 'Active Sessions' column to view the policy-sessions.
Another debug you can use to verify whether or not the router is responding to the pings the 3rd party is transmitting is by enabling "debug ip icmp" in the CLI. This command will show all pings that are received and transmitted by the AOS device. If you do not see any output, however, the 3rd party is seeing replies, that will tell us the router is NOT the ones responding to the pings. You can issue the "u a" (undebug all) command to stop the debug.
I would also be more than happy to take a look at your configuration if you would like. Simply attach it to this thread and remember to remove any information that may be sensitive to your network.
Let us know if you have any questions.
Thanks,
Noor
Kurt,
Probably the best way to see what an AOS device is doing with traffic as it goes through the firewall is to look at the active policy-sessions on the device. You can view these sessions in the CLI and the Web GUI.
In the CLI, simply issue the command "show ip policy-session". This will display a table of traffic hitting the router and what IP address (if any) it is being NATted to. The table is organized by policy-class / security zone and displays source/destination/NAT IP as well as source/destination/NAT ports. So, in your case, you could have the 3rd party start a running ping to the public IP address that you have configured to be translated to an internal IP. Once that running ping is going, you would issue the "show ip policy-session" command and look for the policy-class/security zone assigned to your WAN interface. Under that section, you should be able to see the ICMP traffic sourced from whatever IP address the 3rd party is pinging you from and destined for the external IP address. Further to the right, you will see what IP address the traffic is being NATted to if any.
This information can also be viewed in the GUI, by navigating to Data -> Firewall -> Security Zones on the left panel. Once on the 'Security Zones' page, the bottom table will show the number of active sessions for each Security Zone. Simply click on the number under the 'Active Sessions' column to view the policy-sessions.
Another debug you can use to verify whether or not the router is responding to the pings the 3rd party is transmitting is by enabling "debug ip icmp" in the CLI. This command will show all pings that are received and transmitted by the AOS device. If you do not see any output, however, the 3rd party is seeing replies, that will tell us the router is NOT the ones responding to the pings. You can issue the "u a" (undebug all) command to stop the debug.
I would also be more than happy to take a look at your configuration if you would like. Simply attach it to this thread and remember to remove any information that may be sensitive to your network.
Let us know if you have any questions.
Thanks,
Noor
Kurt - I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.
Thanks,
Noor
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor