Displaying remote port translation with the ipsec command

As seen in NAT resolution filters, the remote data endpoint is represented by the security gateway's public IP address (9.5.5.5), not the client's IP address (10.3.1.1 or 10.3.2.2). Using the ipsec -o display command after the activation of two FTP connections in the branch office with NAT model, the port mappings are shown in the following display:

CS V1R12 ipsec  Stack Name: TCPCS  Tue Feb 16 11:43:55 2010
Primary:  NATT Port Trans Function: Display            Format:   Detail
Source:   Stack           Scope:    Current            TotAvail: 2     

RmtIpAddress:         9.5.5.5
Protocol:             TCP(6)
TransRmtConnPort:     34732
OrigRmtConnPort:      34732
RmtInnerIpAddress:    10.3.1.1
***********************************************************************
RmtIpAddress:         9.5.5.5
Protocol:             TCP(6)
TransRmtConnPort:     65535
OrigRmtConnPort:      34732
RmtInnerIpAddress:    10.3.2.2
***********************************************************************

2 entries selected

In both entries, you can see that the remote IP address (RmtIpAddress) value is 9.5.5.5, the IP address of the branch office gateway, the protocol is TCP (6), and the original remote connection port (OrigRmtConnPort) is 34732. The first entry shows that the translated remote connection port (TransRmtConnPort) is also 34732. The remote inner IP address contains the private address of the client behind the security gateway that initiated the connection, 10.3.1.1. The second entry shows that the remote connection port was translated to a value of 65535 (TransRmtConnPort), and that the client initiating the connection is using private IP address 10.3.2.2.

Table 1 details several places where one or both of the remote port values are displayed or used for a selection.

Table 1. Original and translated port values
Function How remote port values are used Which remote port, original or translated?
Netstat displays of connection data, such as Netstat ALL/-A, Netstat ALLConn/-a, and Netstat COnn/-c The Netstat command has many options to display connection information, including the remote port value. In some cases, the Netstat command takes a remote port value as a selector. Translated remote port
Netstat display of the VIPA connection routing table (netstat VCRT/-V) This command displays the remote port value in the sport or Source field, depending on the flavor of the report generated, and allows you to select based on port. Translated remote port
Packet trace Packet trace displays packet data as it was received or sent. If the packet is authenticated but not encrypted, the port is visible in the packet trace data. Original remote port
IPSecurity syslog messages:
  • EZD0814I packet permitted
  • EZD0815I packet denied by policy
  • EZD0821I packet denied, no tunnel
  • EZD0822I packet denied, tunnel inactive
  • EZD0832I packet denied by NAT traversal processing
  • EZD0833I packet denied, tunnel mismatch
  • EZD0836I packet permitted
Defensive filtering syslog messages:
  • EZD1721I packet denied by defensive filter
  • EZD1722I packet would have been denied by defensive filter
 For an inbound packet, the sport field in these messages contains a remote port value. For an outbound packet, the dport field in these messages contains a remote port value. These messages also have an origport field. The sport and dport fields contain the translated remote port, and the origport field contains the original remote port.
Dynamic anchor, displayed with the ipsec -f command and the ipsec -t command The dynamic anchor that is configured in the Policy Agent configuration file can specify the remote port as a single port, a range of ports, or all ports. This specification of the remote port controls the range of ports that the original port can be translated to. Both the original port and the translated port for a connection will fit the range of ports coded. The configured remote port value is displayed. A packet's original port is used to match on this rule. Both the original port and translated port are included in the remote port value displayed.
NATT anchor, displayed with the ipsec -f command and the ipsec -t command The NATT anchor, which is created as a result of the Security Association negotiation, contains a specific remote port or all ports. Original remote port if specific port displayed
NATT dynamic, displayed with the ipsec -f command and the ipsec -t command The NATT dynamic, which is created as a result of the Security Association negotiation, contains a specific remote port or all ports. Original remote port if specific port displayed
NAT resolution filter (NRF), displayed with the ipsec -f command with the -h option The NAT resolution filter is a connection level filter, and contains both the translated remote port and the original remote port. Translated remote port and original remote port. A packet's translated port is used to match on this rule.
ipsec -t command The ipsec traffic test command allows a remote port value to be specified as a filter selection criteria. Original remote port
Parent topic: Displaying active filters with the ipsec command