When the remote peer is behind a NAT, a connection level filter structure is also created for TCP and UDP connections, the NAT resolution filter (NRF). Unlike the NATT anchor and NATT dynamic filters, which are created when the phase 2 Security Association is created, the NRF is created when the first inbound packet is received for the connection over the phase 2 Security Association. The NRF contains a single source and destination IP address, a single source and destination port value, and a single protocol. This connection-level filter is needed to determine the phase 2 Security Association that will be used for outbound data. For a sample display of NAT resolution filters, see Displaying active filters with the ipsec command.