Displaying remote port translation with the ipsec command
As seen in NAT resolution filters, the remote data endpoint is represented by the security gateway's public IP address (9.5.5.5), not the client's IP address (10.3.1.1 or 10.3.2.2). Using the ipsec -o display command after the activation of two FTP connections in the branch office with NAT model, the port mappings are shown in the following display:
CS V1R12 ipsec Stack Name: TCPCS Tue Feb 16 11:43:55 2010
Primary: NATT Port Trans Function: Display Format: Detail
Source: Stack Scope: Current TotAvail: 2
RmtIpAddress: 9.5.5.5
Protocol: TCP(6)
TransRmtConnPort: 34732
OrigRmtConnPort: 34732
RmtInnerIpAddress: 10.3.1.1
***********************************************************************
RmtIpAddress: 9.5.5.5
Protocol: TCP(6)
TransRmtConnPort: 65535
OrigRmtConnPort: 34732
RmtInnerIpAddress: 10.3.2.2
***********************************************************************
2 entries selected
In both entries, you can see that the remote IP address (RmtIpAddress) value is 9.5.5.5, the IP address of the branch office gateway, the protocol is TCP (6), and the original remote connection port (OrigRmtConnPort) is 34732. The first entry shows that the translated remote connection port (TransRmtConnPort) is also 34732. The remote inner IP address contains the private address of the client behind the security gateway that initiated the connection, 10.3.1.1. The second entry shows that the remote connection port was translated to a value of 65535 (TransRmtConnPort), and that the client initiating the connection is using private IP address 10.3.2.2.
Table 1 details several places where one or both of the remote port values are displayed or used for a selection.
Function | How remote port values are used | Which remote port, original or translated? |
---|---|---|
Netstat displays of connection data, such as Netstat ALL/-A, Netstat ALLConn/-a, and Netstat COnn/-c | The Netstat command has many options to display connection information, including the remote port value. In some cases, the Netstat command takes a remote port value as a selector. | Translated remote port |
Netstat display of the VIPA connection routing table (netstat VCRT/-V) | This command displays the remote port value in the sport or Source field, depending on the flavor of the report generated, and allows you to select based on port. | Translated remote port |
Packet trace | Packet trace displays packet data as it was received or sent. If the packet is authenticated but not encrypted, the port is visible in the packet trace data. | Original remote port |
IPSecurity syslog messages:
Defensive filtering syslog messages:
|
For an inbound packet, the sport field in these messages contains a remote port value. For an outbound packet, the dport field in these messages contains a remote port value. These messages also have an origport field. | The sport and dport fields contain the translated remote port, and the origport field contains the original remote port. |
Dynamic anchor, displayed with the ipsec -f command and the ipsec -t command | The dynamic anchor that is configured in the Policy Agent configuration file can specify the remote port as a single port, a range of ports, or all ports. This specification of the remote port controls the range of ports that the original port can be translated to. Both the original port and the translated port for a connection will fit the range of ports coded. | The configured remote port value is displayed. A packet's original port is used to match on this rule. Both the original port and translated port are included in the remote port value displayed. |
NATT anchor, displayed with the ipsec -f command and the ipsec -t command | The NATT anchor, which is created as a result of the Security Association negotiation, contains a specific remote port or all ports. | Original remote port if specific port displayed |
NATT dynamic, displayed with the ipsec -f command and the ipsec -t command | The NATT dynamic, which is created as a result of the Security Association negotiation, contains a specific remote port or all ports. | Original remote port if specific port displayed |
NAT resolution filter (NRF), displayed with the ipsec -f command with the -h option | The NAT resolution filter is a connection level filter, and contains both the translated remote port and the original remote port. | Translated remote port and original remote port. A packet's translated port is used to match on this rule. |
ipsec -t command | The ipsec traffic test command allows a remote port value to be specified as a filter selection criteria. | Original remote port |