Troubleshooting connectivity issues with NAT

[roadrunner]

Troubleshooting connectivity issues with NAT
How do you know if the IP in the reverse (Destination static - connection initiated by external hosts) direction is working properly? Can the translated IP (in this case, 161.142.204.205) be pinged or telnetted to?

Consider this setup:

(netra)
qe0+---+le0
140.140.100.100 | | 161.142.204.203
+------------+ +------------------------ Internet
| | |
| +---+
|
|
+---------- 140.140.100.10 (machineA)
I can telnet out from 140.140.100.10 to the external but I can't telnet into 161.142.204.205 from external.

Answer
The best way to debug this problem is to run a sniffer-type program such as 'snoop' on both interfaces.


If you see no packets to the external interface then there is an external network problem. You will have to correct that yourself.
If you see packets to the external interface but not to the internal interface then there is a problem with the routing on the firewall. Print out a copy of the current route table using netstat -rn. Examine it to see if the current route table makes sense.
If you see packets to the external and internal interfaces then there is a problem with routing inside your internal network.
Running traceroute from the external machine also help to determine where the packets have stopped.

-- PhoneBoy - 23 Feb 2004

Another way to do troubleshoot is to use "fw monitor". This shows exactly how does the packet enters/leaves in to firewall and translates

-- SrikrishnaK - 03 Aug 2005



FAQForm
FAQs.Class: NetworkAddressTranslationFAQs, TroubleshootingFAQs
FAQs.OS:
FAQs.Version: