01-02 NAT Troubleshooting

VRP Troubleshooting - VAS Contents

Issue 01 (2008-08-20) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

i

Contents

2 NAT Troubleshooting...............................................................................................................2-1 2.1 NAT Overview ..............................................................................................................................................2-2

2.1.1 NAT Procedures ...................................................................................................................................2-2 2.1.2 NAT Features .......................................................................................................................................2-3 2.1.3 VRP NAT .............................................................................................................................................2-3

2.2 Troubleshooting NAT....................................................................................................................................2-4 2.2.1 Typical Networking..............................................................................................................................2-4 2.2.2 Configuration Notes.............................................................................................................................2-5 2.2.3 Troubleshooting Flowchart ..................................................................................................................2-7 2.2.4 Troubleshooting Procedure ..................................................................................................................2-8

2.3 Troubleshooting Internal NAT Server ...........................................................................................................2-9 2.3.1 Typical Networking..............................................................................................................................2-9 2.3.2 Configuration Notes...........................................................................................................................2-10 2.3.3 Troubleshooting Flowchart ................................................................................................................2-11 2.3.4 Troubleshooting Procedure ................................................................................................................2-11

2.4 Troubleshooting Cases ................................................................................................................................2-12 2.4.1 Internal Host Fails to Access the External FTP Server ......................................................................2-13 2.4.2 External Host Fails to Access the HTTP NAT Server ........................................................................2-14

2.5 FAQs ...........................................................................................................................................................2-15 2.6 Diagnostic Tools..........................................................................................................................................2-16

2.6.1 display Commands.............................................................................................................................2-16 2.6.2 debugging Commands........................................................................................................................2-18

Figures VRP

Troubleshooting - VAS

ii Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 01 (2008-08-20)

Figures

Figure 2-1 Network address translation..............................................................................................................2-2

Figure 2-2 Networking diagram of NAT ............................................................................................................2-4

Figure 2-3 Flow chart of NAT troubleshooting ..................................................................................................2-7

Figure 2-4 Networking diagram of internal server ...........................................................................................2-10

Figure 2-5 Flowchart of NAT server troubleshooting ......................................................................................2-11

Figure 2-6 Troubleshooting cases for NAT outbound ......................................................................................2-13

Figure 2-7 NAT server troubleshooting............................................................................................................2-14

VRP Troubleshooting - VAS 2 NAT Troubleshooting


2-1

2 NAT Troubleshooting

About This Chapter

The following table shows the contents of this chapter.

Section Description

2.1 NAT Overview This section describes the knowledge you need to know before troubleshooting the NAT.

2.2 Troubleshooting NAT This section describes the notes about configuring NAT, and provides the NAT troubleshooting flowchart and the troubleshooting procedure in a typical NAT network.

2.3 Troubleshooting Internal NAT Server

This section describes the notes about configuring the internal NAT network, and provides the internal NAT server troubleshooting flowchart and the troubleshooting procedure in a typical NAT network.

2.4 Troubleshooting Cases This section presents several troubleshooting cases.

2.5 FAQs This section lists frequently asked questions and their answers.

2.6 Diagnostic Tools This section describes common diagnostic tools: display commands and debugging commands.

2 NAT Troubleshooting VRP


2-2 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

Issue 01 (2008-08-20)

2.1 NAT Overview The Network Address Translation (NAT) is also called address proxy. It allows users in the private network to access the public network.

2.1.1 NAT Procedures

Private Network Address and Public Network Address The private address is the internal network address or IP addresses of internal hosts.

The Internet Address Distribution Organization reserves the following IP addresses as the private network addresses:

From 10.0.0.0 to 10.255.255.255 From 172.16.0.0 to 172.31.255.255 From 192.168.0.0 to 192.168.255.255

The public address is the globally unique IP address used on the Internet.

Addresses in the preceding ranges can be allocated to the intranet but not the Internet. Different companies can use the same internal network addresses. If a company selects the network segments beyond these ranges as its internal network address, the internal user may fail to access the Internet or a public network host.

NAT As shown in Figure 2-1, when an internal network host needs to access the Internet or a public network host, NAT is required.

Figure 2-1 Network address translation

PC10.1.1.10/24

WWW client10.1.1.48/24 PC

GE1/0/0Internal network

External networkPos2/0/0203.196.3.23/24

WWW Server

202.18.245.251/24

Internet



2-3

The internal network is on 10.0.0.0 network segment and the public network IP address assigned to this internal network is 203.196.3.23.

The internal host 10.1.1.48 accesses the external server 202.18.245.251 through NAT as follows:

The internal host sends a packet with the source IP address and port as 10.1.1.48:6084 and the destination IP address and port as 202.18.245.251:80.

When the packet passes through the router, the source IP address, and port of this packet are translated to 203.196.3.23:32814. The destination IP address and port are unchanged.

The router has an address-to-port mapping table. When receiving the response packets from the external server, the router translates the destination IP address and port of the packets to 10.1.1.48:6084.

NAT translates the IP address and port of the internal host to the external IP address and port of the router. It also translates the external IP address and port of the router to the IP address and port of the internal host. In general, NAT implements the translation between <private address + port> and <public address + port>.

2.1.2 NAT Features NAT has the following features:

Transparent address distribution for users (the distribution of external addresses) Transparent routing: Routing here refers to the capability of forwarding IP packets but

not a technology to exchange routing information.

The advantages of NAT are as follows:

Allowing the Internal hosts to access the external network Protecting the internal hosts

The disadvantages of NAT are as follows:

The packet header containing the IP address cannot be encrypted because the IP address need be translated. In application protocols, packets are not encrypted if they contain the address or port to be translated. For example, the encrypted FTP connection should not be used. Otherwise, the port command on FTP cannot be correctly translated.

Debugging the network is difficult because the IP address of the internal host is unavailable to the external. For instance, when a certain internal host tries to attack other networks, it is hard to point out the malicious host because their IP addresses are shielded.

2.1.3 VRP NAT

Supporting NAT ALG The VRP NAT not only translates the common IP address but also provides an application level gateway (ALG) mechanism.

The VRP NAT has a good extensibility. It supports various protocols on the application layer such as DNS, FTP, TFTP, H.323, HWCC, ICMP, Internet Locator Service (ILS), MSN, Network Basic Input/Output System (NetBIOS), the Point-to-Point Tunneling Protocol (PPTP), and QQ.




Issue 01 (2008-08-20)

Supporting MPLS VPN VRP NAT also permits users in different Multi-Protocol Label Switching (MPLS) Virtual Private Networks (VPNs) to access external hosts through the same egress.

When an MPLS VPN user wants to access the Internet,

NAT first translates the IP address and port of the internal host to the external IP address and port of the router.

In processing the response packet, NAT translates the external IP address and port to the IP address and port of the internal host.

During this process, NAT keeps recording the information about the MPLS VPN user.

NAT Performance When the link bandwidth is less than 10 Mbit/s, NAT almost has no negative impact on network performance. When the link bandwidth is more than 10 Mbit/s, NAT slightly affects the router performance.

2.2 Troubleshooting NAT This section covers the following topics:

Typical Networking Configuration Notes Troubleshooting Flowchart Troubleshooting Procedure

2.2.1 Typical Networking As shown in Figure 2-2, the PC in the internal network requires to access the external network through the NAT gateway.

Figure 2-2 Networking diagram of NAT

NAT

Eth 2/0/1

Eth 1/0/1

Ethernet

Internet

PC



2-5

2.2.2 Configuration Notes Item Sub-item Description

Configuring the ACL

Configuring the ACL rule

Configure the Access Control List (ACL) rules, the source IP address and the destination IP address ranges as well as the related port numbers as required.

Configuring the address pool

Configuring the NAT address group

Configure the address pool for NAT and specify the pool number and the available start IP address and end IP address.

Specifying an interface Specify the interface to be enabled with NAT.

Configuring the outbound mode

Specify the NAT in the outbound mode.

Configuring the ACL Number

Specify the ACL number to be bound.

Configuring the address group number

Specify the address pool number to be bound.

Configuring the NAT outbound ACL and address pool association

Configuring the No PAT mode

Specify whether to use No PAT mode.

Configuring the NAT ALG

Configuring the NAT ALG

Enable the ALG to be used.

The following contents present the notes required to configure NAT outbound.

The following covers part of commands in configuring NAT outbound and NAT ALG. For details, refer to the VRP Configuration Guide - Security and the VRP Configuration Guide - IP Services.

Configuring the ACL Rule Configure an ACL 3001 to permit the internal PC to access Telnet (port number is23).

[Router] acl number 3001

[Router-acl-adv-3001] rule 5 permit tcp source 192.168.1.0 0.0.0.255 destination-port

eq telnet

Configuring an Address Pool Configure a No.2 address pool, with the start IP address as 46.1.1.20 and the end IP address as 46.1.1.30.

[Router] nat address-group 2 46.1.1.20 46.1.1.30




Issue 01 (2008-08-20)

Associating ACL Rules with the Address pools in the NAT Outbound When a TCP packet from 192.168.1.0 passes through the NAT gateway, the source IP address is translated to an IP address in the address pool. The packet is then sent out from Ethernet 3/1/0.

[Router] interface Ethernet 1/2/0

[Router-Ethernet1/2/0] ip address 46.1.1.14 255.255.255.0

[Router-Ethernet1/2/0] nat outbound 3000 address-group 2

The host can obtain only the Telnet service because the ACL rule limits the destination port.

Packets that do not match ACL rules cannot access the external network and are then discarded.

Configuring NAT ALG for Related Protocols Use the display nat alg command to view the current ALGs of protocols.

<Quidway> display nat alg

NAT application level gateway information:

h323 NAT application level gateway is disabled

dns NAT application level gateway is enabled

netbios NAT application level gateway is enabled

ils NAT application level gateway is enabled

ftp NAT application level gateway is disabled

icmp NAT application level gateway is enabled

pptp NAT application level gateway is enabled

hwcc NAT application level gateway is enabled

qq NAT application level gateway is disabled

msn NAT application level gateway is disabled



2-7

2.2.3 Troubleshooting Flowchart

Figure 2-3 Flow chart of NAT troubleshooting

The internal user fails to

access the externalnetwork

Can NAT gatewayping through the external IP

address?

Ensure correct packetssending and receiving

on the external interfaceby checking the route on

NAT gateway andaddress pool on the

external interface

Correct sessions on NAT gateway?

Yes

No

Do ACL rules permit the internal

packets topass through?

Configure an ACLrule to permit the

internal packets topass through

The fault disappears?

Seektechnicalsupport

End

Does the internalrouter has a routeto NAT gateway?

The faultdisappears?

Are ALGs ofrelated protocols

enabled ?

Yes Yes

Yes

Yes

NoNo

No

No




Issue 01 (2008-08-20)

2.2.4 Troubleshooting Procedure Step 1 Check the reachability between the internal host and the external network.

1. Check the reachability between the internal host and the NAT gateway.

If the internal host fails to ping through the NAT gateway, check the IP addresses of the NAT inbound on the router or the physical link and the routes between them.

If the IP addresses of the internal host and the NAT inbound are not in the same network segment and no routes to the host is configured on the NAT gateway, configure a static route on it to make the internal packet reach the NAT gateway.

If routes are incorrect, first modify the routes.

2. Check the reachability between the NAT gatway and the destination IP address.

The method to check the reachability between the NAT gateway and the destination is almost the same as that in checking the reachablity betwewn the internal host to NAT gateway. Note that in this step, you need to check whether the NAT outbound is correctly configured with an IP address or an IP address pool. For example, check whether the IP address of the NAT outbound conflicts with other IP addresses in this network segment.

In configuring an address pool on the NAT outbound, note that the address pool should not contain the destination IP address. For example, if the destination IP address is 202.99.6.3, the address pool range should not be from 202.99.6.1 to 202.99.6.10 so that it does not affect normal packets forwarding.

Use the display nat address-group command to view the configured address pool.

<Quidway> display nat address-group

NAT address-group information:

2 : from 46.1.1.20 to 46.1.1.30, reference 8 times

Total 1 address-groups

Step 2 Check sessions on the NAT gateway.

On the internal PC, Telnet some host in the external network and then use the display firewall session table slot slot-id command to view whether a session is set up on NAT gateway. slot-id indicates the slot number of the NAT interface board. For example:

<Quidway> display firewall session table slot 3

TELNET: vpn:0,192.168.1.201:768[46.1.1.20:25290]-->46.1.1.64:23

Check the protocol and the IP address and port number carried in the session information.

The display in the bracket indicates the IP address and port after NAT. This IP address should be one of the addresses in the address pool. In the EasyIP mode, it is also the configured IP address of the NAT interface.

Using the display firewall session table verbose slot command, you can view the detailed session such as the time to live (TTL).

<Quidway> display firewall session table verbose slot 3

tcp, TELNET:0,

192.168.1.201:768-->46.1.1.64:23

46.1.1.20:25290-->46.1.1.64:23

tag: 0x80000980, State: 0x0, ttl: 00:00:20 left: 00:00:19

The EasyIP mode configuration is as follows:



2-9

[Quidway] interface Ethernet 3/1/0

[Quidway-Ethernet3/1/0] ip address 46.1.1.14 255.255.255.0

[Quidway-Ethernet3/1/0] nat outbound 3001

Step 3 Check the ACL rules bound with the NAT gateway.

The wrong ACL configurations, such as improper IP address, protocol, and port number, often make the internal packets unavailable to be sent out or the external packets unable to access the internal network.

Use the display acl all command to view all current ACL rules.

<Quidway> display acl all

Total nonempty acl number is 1

Advanced ACL 3001, 1 rule

Acl's step is 5

rule 5 permit ip source 192.168.1.0 0.0.0.255 (9 times matched)

On the basis of the matching times of one ACL rule, check whether packets permitted by the ACL rule can pass through NAT. You can then know whether ACL rules take effect.

ACL rules strictly specify certain available address ranges, protocols, and ports as required. After NAT is configured, if the internal network host cannot ping through the external network host, check whether the ACL rule permits ICMP packets.

Step 4 Check whether ALGs are enabled for specified protocols.

The internal host needs to access specific services such as FTP or H323 of the external network, but the file transmission or the voice and video data transmission fails. Then check whether the ALG is enabled.

Take FTP ALG as an example. To access FTP of the external network, you need to use the nat alg enable ftp command in the system view and then try to access the external network.

If the fault remains, contact Huawei technical personnel.

----End

2.3 Troubleshooting Internal NAT Server This section covers the following topics:

Typical Networking Configuration Notes Troubleshooting Flowchart Troubleshooting Procedure

2.3.1 Typical Networking As shown in Figure 2-4, there are several servers in the internal network to provide services to the external hosts. They work as NAT internal servers.




Issue 01 (2008-08-20)

Figure 2-4 Networking diagram of internal server

Internal PC Internal PC

10.110.10.1 10.110.10.2 10.110.10.3 10.110.10.4

Enterprise internalEthernet Router

ExternalPC

FTP server WWW server WWW sever2 SMTP server

10.110.10.100 10.110.12.100

DDN

2.3.2 Configuration Notes The following presents notes in configuring the NAT server.

Item Sub-item Description

Configuring the protocol TCP, UDP, and ICMP are commonly used.

Configuring the global address and port

External host can access the global address and port of the NAT server.

Configuring the inside address and port

It indicates the internal IP address and port of the host that provides practical service.

Configuring the NAT server

Configuring the VPN instance

Bind a VPN instance to the NAT server.

The following covers part of commands in configuring the NAT server. For details, refer to the VRP Configuration Guide - Security.

Configure the NAT server.

[Router] interface Ethernet 6/0/0

[Router-Ethernet6/0/0] nat server protocol tcp global 46.1.1.66 www inside 10.100.10.2

www

Map the internal address 10.100.10.2 and port 80 of the Web server to the external address 46.1.1.66 and port 80 of the NAT server.

The NAT server is based on TCP, so it does not process ICPM packets. When the external host pings 46.1.1.66, it cannot get the response packets.



2-11

2.3.3 Troubleshooting Flowchart

Figure 2-5 Flowchart of NAT server troubleshooting

The externaluser fails toaccess NAT

server

No

Ensure NAT servercan work normally

YesCan external host

ping through the external interfaceaddress of NAT server

Check the route betweenthe external interface on

NAT server and theexternal host

Does the internalrouter has a routeto NAT gateway?

The faultdisappears?

End

Check NAT serverThe fault

disappears?

Correct sessions on NAT server?

Seek technicalsupport

Yes

Yes

Yes

No

No

No

2.3.4 Troubleshooting Procedure Step 1 Checking whether NAT is successful.

See Troubleshooting NAT.

Step 2 Ensure that the internal server works normally.

Try to access the internal server from other internal hosts to ensure that the internal server can provide services such as HTTP or FTP.

Step 3 Check the NAT server.




Issue 01 (2008-08-20)

Check whether the NAT server is configured with the correct protocol, port number, and IP address. Use the display nat server command to check configurations of the NAT server.

<Quidway> display nat server

Server in private network information:

GlobalAddr GlobalPort InsideAddr InsidePort Pro VPN Ref

Interface:Ethernet3/1/0

46.1.1.66 80(www) 192.168.1.201 80(www) 6(tcp) (1)

Total 1 NAT servers

Pay attention to the mapped internal address and port. When some service such as FTP or TFTP transmits data packets, several ports (some of them are random generated) are needed. Therefore, to configure the NAT server providing such services, you need not limit the ports to ensure the normal working of the internal server.

When VPN instances are configured on the internal and the external network interfaces of the router, bind the NAT server to a certain VPN instance. In this way, the internal server can work normally.

[Quidway] interface Ethernet3/1/0

[Quidway-Ethernet3/1/0] ip binding vpn-instance huawei

[Quidway-Ethernet3/1/0] ip address 46.1.1.14 255.255.255.0

[Quidway-Ethernet3/1/0] nat server vpn-instance huawei protocol tcp global 46.1.1.66

any inside 192.168.1.201 any

For details of configuring a VPN instance, refer to the VRP Configuration Guide - VPN.

If the fault remains, contact Huawei technical personnel.

----End

2.4 Troubleshooting Cases This section provides the following troubleshooting cases:

Internal Host Fails to Access the External FTP Server External Host Fails to Access the HTTP NAT Server



2-13

2.4.1 Internal Host Fails to Access the External FTP Server

Fault Symptom

Figure 2-6 Troubleshooting cases for NAT outbound

NAT

FTP Server202.99.8.75

GE2/0/1202.99.8.6

GE1/0/110.2.1.1/24

PC10.2.1.6/24

Internet

As shown in Figure 2-6, configure the NAT outbound on the router with which the internal PC can access the external network. The NAT outbound applies the EasyIP mode. It uses ACL 3000 that permits the PC only at 10.2.1.0/24 to access the external.

The fault is that the PC cannot access the FTP server.

Fault Analysis 1. On the PC, ping the NAT inbound 10.2.1.1 and then on the NAT gateway, ping the

external FTP server. If the ping fails, the fault may lie in the wrong route on PC. 2. After you modify the route, the PC can ping through the NAT inbound but cannot access

the FTP server. Then check the session on the NAT gateway and find no session is set up.

3. Check all ACLs. 4. The PC continues trying to access FTP server. Check whether the control connection is

correct and the data can be transmitted. 5. Check and then find the NAT session is set up. 6. Check FTP ALG and find it is disabled.

Troubleshooting Procedure Step 1 On the PC, specify packets to 202.99.8.0/24 being transmitted from 10.2.1.1.

Step 2 Use the display firewall session table slot 2 command to view the NAT session.

Step 3 Use the acl 3000 command and the undo rule 5 command in the system view. And then use the rule 5 permit ip source 10.2.1.0 0.0.0.255 command to configure an ACL rule.

Step 4 Use the display firewall session table slot 2 command again to view the NAT session.

Step 5 Use the display nat alg command to view FTP ALG status.

Step 6 Use the nat alg enable ftp command to enable FTP ALG.

----End




Issue 01 (2008-08-20)

Summary From the preceding example, you need to:

Know that ACL plays an important role in transmission of packets through the NAT gateway.

Configure routes on the internal PC. Enable FTP ALG on NAT outbound. Otherwise, the data transmission fails.

2.4.2 External Host Fails to Access the HTTP NAT Server

Fault Symptom

Figure 2-7 NAT server troubleshooting

HTTP Server10.2.1.6/24

NAT

PC202.99.8.75/24

GE2/0/1202.99.8.6/24

GE1/0/110.2.1.1/24

Internet

As shown in Figure 2-7, configure a NAT server on the router. Map the internal address 10.2.1.6 of HTTP server to the external address 202.99.8.6 and port 80.

The fault is that the external PC cannot access the HTTP server.

Fault Analysis 1. The internal server fails to ping through the NAT inbound 10.2.1.1 but the NAT gateway

can ping through the external PC. The fault may then lie in the wrong route on the internal server.

2. Check the session on the NAT gateway. HTTP:vpn:0,202.99.8.75:2658-->202.99.8.6:80[10.2.0.6:80]

The fault may lie in the NAT server. Continue to check it and find the following display.

nat server protocol tcp global 202.99.8.6 www inside 10.2.0.6 www

Modify it to:

nat server protocol tcp global 202.99.8.6 www inside 10.2.1.6 www

After the NAT server is modified, the external network can access the HTTP server.

Troubleshooting Procedure Step 1 On the PC, specify packets to 202.99.8.0/24 to be transmitted from 10.2.1.1.



2-15

Step 2 Use the display firewall session table slot 2 command to view the NAT session.

Step 3 Check the current configuration of the egress GE 2/0/1.

Step 4 Use the undo nat server protocol tcp global 202.99.8.6 www inside 10.2.0.6 www command to remove the wrong configuration.

Step 5 Use the nat server protocol tcp global 202.99.8.6 www inside 10.2.1.6 www command.

----End

Summary From the preceding example, you need to:

Configure routes on the internal PC. Focus on the NAT server. Check whether the mapped internal host address is wrong

based on the NAT session. Use NAT sessions to view NAT status and locate the fault.

2.5 FAQs

Q: Why Cannot the Internal Host Ping Through the External Host? A: Check whether:

There is a correct route to the external on the internal host. The ACL permits ICMP packets to pass through the NAT gateway.

Q: When H323 Video Meeting Is Held Between the Internal and the External Networks, the Dialing Succeeds but the Internal Cannot View the External Video. Why?A: The possible cause can be that H323 ALG is disabled. In addition to enable H323 ALG, you need to

check all ACL rules to ensure all H323 packets can pass the NAT since H323 uses several TCP and UDP protocols.

Q: Why Cannot the External Network Ping Through the Configured NAT Server?

A: Check whether the ICMP packets are allowed to pass the NAT server and whether correct routes exist on the internal host.

Q: Why Cannot the NAT Server Work After Internal and External Interfaces Are Bound To Specified VPN Instances?

A: If the VPN instance is enabled, the NAT server should also bound to one VPN instance.




Issue 01 (2008-08-20)

2.6 Diagnostic Tools 2.6.1 display Commands

Command Description

display nat alg Displays NAT ALG status.

display nat outbound Displays the NAT outbound.

display firewall session table slot slot-id

Displays the session on a certain interface board

display firewall session table verbose slot slot-id

Displays the detailed session on a certain interface board.

display ip routing-table Displays the routing table.

dis nat address-group Displays the NAT address pool.

display acl all Displays all ACL rules.

display nat server Displays the NAT server.

display nat alg <Quidway> display nat alg

NAT application level gateway information:

h323 NAT application level gateway is disabled

dns NAT application level gateway is enabled

netbios NAT application level gateway is enabled

ils NAT application level gateway is enabled


icmp NAT application level gateway is enabled

pptp NAT application level gateway is enabled

hwcc NAT application level gateway is enabled

qq NAT application level gateway is disabled

msn NAT application level gateway is disabled

display nat outbound <Quidway> display nat outbound

NAT outbound information:

Ethernet3/1/0: acl(3001) --- NAT address-group( 2)

Total 1 nat outbounds

display firewall session table slot <Quidway> display firewall session table slot 3

icmp: vpn:0,192.168.1.201:768[46.1.1.14:25290]-->46.1.1.64:768

display firewall session table verbose slot <Quidway> display firewall session table verbose slot 3

icmp, vpn:0,



2-17

192.168.1.201:768-->46.1.1.64:768

46.1.1.14:25290-->46.1.1.64:25290

tag: 0x80000980, State: 0x0, ttl: 00:00:20 left: 00:00:19

display ip routing-table <Quidway> display ip routing-table

Routing Tables: Public

Destinations : 8 Routes : 8

Destination/Mask Proto Pre Cost NextHop Interface

8.1.1.1/32 Direct 0 0 8.1.1.1 Serial3/0/0:0

8.1.1.10/32 Direct 0 0 127.0.0.1 InLoopBack0



172.1.1.0/24 Direct 0 0 172.1.1.14 Ethernet3/1/0


192.168.1.0/24 Direct 0 0 192.168.1.14 Ethernet4/1/0


display nat address-group <Quidway> display nat address-group





display acl all <Quidway> display acl all

Total nonempty acl number is 2

Advanced ACL 3000, 3 rules

Acl's step is 5

rule 5 permit ip source 15.1.1.2 0 destination 15.1.1.1 0 (8 times matched)

rule 6 permit ip source 15.1.1.1 0 destination 15.1.1.2 0 (32 times matched)

rule 10 deny ip (25458 times matched)

Advanced ACL 3001, 1 rule

Acl's step is 5

rule 5 permit ip source 192.168.1.0 0.0.0.255 (9 times matched)

display nat server <Quidway> display nat server




46.1.1.66 80(www) 192.168.1.201 80(www) 6(tcp) (1)

Total 1 NAT servers

<Quidway>display nat alg


Take FTP ALG as an example. The status can be enable or disable. You must set the status of the ALG to be enable

<Quidway> display nat outbound

NAT outbound information:

Ethernet3/1/0: acl(3001) --- NAT address-group( 2)




Issue 01 (2008-08-20)

Total 1 nat outbounds

The NAT outbound display contains the outbound, the bound ACL ID, and the address pool number.

<Quidway> display firewall session table slot 3

icmp: vpn:0,192.168.1.201:768[46.1.1.14:25290]-->46.1.1.64:768

The session display contains:

Protocol type VPN index Source IP addresses Port and destination IP address Port

The display in bracket is the address and port after NAT. The arrow points to the destination party of the session. In the preceding example, the session is from the internal network to the external network.

<Quidway> display nat address-group





The address pool display contains the number and the address range of the address pool and matched times of the packet.

<Quidway> display nat server




46.1.1.66 80(www) 192.168.1.201 80(www) 6(tcp) (1)

Total 1 NAT servers

The display on the NAT server contains:

Location of the NAT server. External IP address and port. Internal IP address and port. Protocol type and the name of the VPN instance. The number of times to adopt the VPN instance.

2.6.2 debugging Commands Command Description

debugging nat alg Debugs the NAT ALG.

debugging nat event Debugs the NAT event.

debugging nat packet Debugs the NAT packet.



2-19

The output of the debugging nat { alg | event | packet } command is as follows:

*0.181276861 NE05 SEC/8/NAT:Slot=4;

(IP forwarding) Forward : Pro : ICMP, ID : 48000,

( 210.1.1.2:43988 - 110.1.1.2:43988) ------>

( 110.1.1.12:55288 - 110.1.1.2:43988)

*0.181276950 NE05 SEC/8/NAT:Slot=4;

(IP forwarding) Reverse : Pro : ICMP, ID : 0,

( 110.1.1.2:55288 - 110.1.1.12:55288) ------>

( 110.1.1.2:55288 - 210.1.1.2:43988)

*0.181276950 NE05 SEC/8/NAT:Slot=4;

NAT new mbuf vpn index=0

*0.181276951 NE05 SEC/8/NAT:Slot=4;

(IP forwarding) Forward : Pro : ICMP, ID : 48002,

( 210.1.1.2:43988 - 110.1.1.2:43988) ------>

( 110.1.1.12:55288 - 110.1.1.2:43988)

*0.181276951 NE05 SEC/8/NAT:Slot=4;

(IP forwarding) Reverse : Pro : ICMP, ID : 1,

( 110.1.1.2:55288 - 110.1.1.12:55288) ------>

( 110.1.1.2:55288 - 210.1.1.2:43988)

The display contains:

Transmission direction of the packet. If packet transmission is in the same direction with the NAT session, the transmission state is Forward. Otherwise, it can be Reverse.

Protocol type of the packet. Source address and port of the packet. Destination address and port of the packet. Address and port after NAT.

Date post:	21-Apr-2015
Category:	Documents
Upload:	pankaj-garg
View:	37 times
Download:	0 times

01-02 NAT Troubleshooting

Documents