In some cases (especially when Windows is the firewall), you may need to add a static host route on the external router. If you do see only the first packet over and over again (e.g., the ARP "who is"), this means that nobody owns or is proving a proxy ARP for the translated address.
The first part of the communication you should see is the request for MAC addresses via an ARP packet. If you see SYN, SYN/ACK, and ACK packets, the connection should be established. Note that you may not necessarily see the ARP packets, especially if the originator of the packet already has the MAC address in its ARP cache. Let's assume that host 192.168.42.69 is attempting to connect to 192.168.0.13, the intranet Web server, which really resides at 10.0.10.80. fw monitor relies on INSPECT code and is discussed in Chapter 14.Ĭonsider the network and configuration that were used in the earlier step-by-step example (see Figure 10.3). Because it works at the same level as FireWall-1 (i.e., just after the MAC layer and before the network layer), its use in troubleshooting NAT issues is limited. Since version 4.0, FireWall-1 has also come with its own packet-sniffing utility called fw monitor. Windows NT/2000 machines come with a limited packet sniffer in Network Monitor, but you can obtain a free copy of Ethereal (from ), which works far better and reads in data files from snoop and tcpdump. Both of these tools will be discussed briefly in this chapter. Fortunately, some operating systems come with their own packet sniffers.
The remainder of this section shows you what you should see in a packet sniffer, what you shouldn't, and how to fix it.Īlthough there are plenty of external packet-sniffing devices, they can be expensive and inconvenient to use.
Wherever a verification of the configuration fails, a packet sniffer can be your friend. Set any security policy rule that applies to a NATted host to track long, and ensure that address translation is happening as you expect. Validate that the rules are set up correctly. Validate that a static host route exists on the firewall to route the translated IP address to either the untranslated address or the next hop address if the real system is more than one hop away from the firewall. Validate that an ARP entry exists for the translated IP (or that the translated IP is somehow being routed to the firewall). To troubleshoot NAT, you should first verify that each necessary step has been performed.