Troubleshooting guide

Chapter 2 Troubleshooting Tools VPN-1/FireWall-1 Control Commands

Advanced Technical Reference Guide 4.1 • June 2000 15

Explanation 1. VPN-1/FireWall-1 receives a back connection type 8 code 0

2. The request is ICMP echo request (type 8)

3. VPN-1/FireWall-1 understands that the connection must be an outgoing connection

(type 8 is echo request and not echo reply).

4. The connection matches the rule base

5. src=C0A86E05 sport=200 dst=C25A0105 dport=2E00 ip_p=1

mthd=1 - the xlation is initiated, the connection is written, - src – source IP (hex),

sport – source port,

dst – destination IP,

ip_p - IP protocol 1=ICMP,

mthd – method - 1 = hide (see tables section, xlate tables)

6. VPN-1/FireWall-1 is trying to allocate a port for the translation, the entry is the

allocation table (see tables, in this case (ICMP) the port is a sequential number)

7. VPN-1/FireWall-1 has found a port, the entry is ip_address,method, new_port

8. Adding the connection to the “fwx_forw table,” (page 150)

9. Adding the connection to the table “fwx_backw table,” (page 150)

10. The actual translation, the source and the destination of the packet is changed.

11. A backw connection has arrived type 0 code 0 (ICMP echo reply)

12. The arriving connection matches an existing connection in the “fwx_backw table,”

(page 150)

13. The connection is complete and marked for delete

14. The port is marked to be freed

15. The allocated port is de allocated

16. The connection is deleted from the fwx_backw table,” (page 150) table.

17. The arriving packet is translated according to the table as “fwx_backw table,” (page

150) connection.

18. VPN-1/FireWall-1 finishes the connection, the connection is printed

19. The connection is marked a being an ICMP echo reply (code 0).