Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
31323334353637383940
Chapter 2 Troubleshooting Network Address Translation Debugging NAT
Advanced Technical Reference Guide 4.1 June 2000 28
Debugging NAT
Note: See “Chapter 2: Troubleshooting Tools,” page 5 for more information on the fw ctl debug,
fwinfo, and the fw monitor commands.
To debug NAT problems, make use of the following debug commands. They should be issued in an
environment that produces the problem.
For example, for an FTP connection problem, perform the commands followed by a FTP connection and some
kind of “snoop”ontheconnection(fw monitor would be best)
This set of commands will produce some outputs that will shed some light over the issue.
Not all NAT problems require this kind of debugging. Use it for especially problematic situations, such as when
NAT fails and for “Leaky” NAT issues.
Note: the commands should be issued in the order specified here.
1. From the fw\bin directory run:
fwtab –u > <file name>
This command prints the VPN-1/FireWall-1 connection and address translation tables. This allows you to
check if the connections are in the tables.
You should set the command to run every 30 seconds and to redirect the output to a file.
2. Run the following from the fw\bin directory:
fw ctl debug –buf
(Directs the information to a buffer)
fw ctl debug xlate xltrc
(This option is needed in FTP connection, in order to see the PORT command.)
fw ctl kdebug –f > <filename>
(Reads the information that was printed to the buffer by the previous command.)
These commands will debug the translation procedure in the kernel and produce an output with the debug
information.
NOTE: In order to stop the debugging issue CTRL+C after step 4 is completed
3. While these commands are running, run the fw monitor command that is appropriate for your connection.
For a FTP connection for example run the following:
fw monitor -m iIoO -e "accept [20:2,b]=21 or [22:2,b]=21 or [20:2,b]=20
or [22:2,b]=20;" -o <filename>
4. Start the connection that will reproduce the problem.
After the problem has occurred, stop the fw monitor command. Stop the debug command (as specified
instep2)
More Information
For more information on Network Address Translation, See
Version 4.0: FireWall-1 Architecture and Administration User Guide Chapter 5
Version 4.1: VPN-1/FireWall-1 Administration Guide Chapter 14
Version 4.1 SP1 (Check Point 2000): VPN-1/FireWall-1 Administration Guide Chapter 14