Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 3754 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Confirming/Monitoring NAT rules

SeanPetty

 We are troubleshooting some strange TLS connection issues from multiple internal servers that are NAT'd to a DMZ address.  Is there any way to show the translations in a live running log format, or even confirm them one-by-one that they are working?

For example, this is a snippit of a tcpdump, but it doesn't tell me what 172.31.x.x client is creating the connection.  The .84 address is the NAT'd outside IP. 

21:18:40.712657 PortA5, IN: IP 10.250.20.8.51106 > 10.36.109.84.https: Flags [.], ack 1, win 513, length 0

21:18:40.714609 PortA5, IN: IP 10.250.20.8.51106 > 10.36.109.84.https: Flags [P.], ack 1, win 513, length 151

21:18:40.797439 PortA5, OUT: IP 10.36.109.84.https > 10.250.20.8.51106: Flags [.], ack 152, win 256, length 1290

21:18:40.797448 PortA5, OUT: IP 10.36.109.84.https > 10.250.20.8.51106: Flags [.], ack 152, win 256, length 1290

21:18:40.797500 PortA5, OUT: IP 10.36.109.84.https > 10.250.20.8.51106: Flags [P.], ack 152, win 256, length 447

21:18:40.833402 PortA5, IN: IP 10.250.20.8.51106 > 10.36.109.84.https: Flags [.], ack 2581, win 513, length 0

 

If I monitor the tunnel that the traffic is coming from, I see the internal 172.x.x.x address, but it looks like it's going out directly, un-NAT'd.  How can I confirm that the NAT is taking place when it goes out the PortA5 interface?

 

21:21:26.763331 ipsec0, IN: IP 172.31.4.213.https > 10.250.20.8.51148: Flags [.], ack 152, win 256, length 1290

21:21:26.763374 ipsec0, IN: IP 172.31.4.213.https > 10.250.20.8.51148: Flags [.], ack 152, win 256, length 1290

21:21:26.763385 ipsec0, IN: IP 172.31.4.213.https > 10.250.20.8.51148: Flags [P.], ack 152, win 256, length 447

21:21:26.930710 ipsec0, IN: IP 172.31.4.213.https > 10.250.20.8.51148: Flags [P.], ack 470, win 255, length 51

21:21:27.056502 ipsec0, IN: IP 172.31.4.213.https > 10.250.20.8.51148: Flags [R.], seq 3079, ack 471, win 0, length 0

 

In addition, the 1:1 NAT business rule is a little misleading.  Do I need masquerading turned on?  Will replies be sourced from 10.36.109.84 or do I need another, separate, NAT rule for anything outbound?  It looks like this:

 

10.250.20.8 --> 10.36.109.84 (outside IF) --> 172.31.4.213 (Internal Host)

 

Thanks for any de-mystification.



This thread was automatically locked due to age.
Parents Reply Children
No Data