Home Theater Server User Manual
Table Of Contents
- Contents
- About This Document
- Network Security
- TCP SYN attacks
- IP TCP syn-proxy
- Granular application of syn-proxy feature
- Syn-def
- No response to non-SYN first packet of a TCP flow
- Prioritizing management traffic
- Peak BP utilization with TRAP
- Transaction Rate Limit (TRL)
- Understanding transaction rate limit
- Configuring transaction rate limit
- Configuring the maximum number of rules
- Saving a TRL configuration
- Transaction rate limit command reference
- Global TRL
- TRL plus security ACL-ID
- security acl-id
- Transaction rate limit hold-down value
- Displaying TRL rules statistics
- Displaying TRL rules in a policy
- Displaying IP address with held down traffic
- Refusing new connections from a specified IP address
- HTTP TRL
- Overview of HTTP TRL
- Configuring HTTP TRL
- Displaying HTTP TRL
- Display all HTTP TRL policies
- Display HTTP TRL policy from index
- Display HTTP TRL policy client
- Display HTTP TRL policy starting from index
- Display HTTP TRL policy matching a regular expression
- Display HTTP TRL policy client index (MP)
- Display HTTP TRL policy client index (BP)
- Display HTTP TRL policy for all client entries (BP)
- Downloading an HTTP TRL policy through TFTP
- HTTP TRL policy commands
- Logging for DoS Attacks
- Maximum connections
- clear statistics dos-attack
- Maximum concurrent connection limit per client
- Firewall load balancing enhancements
- Syn-cookie threshhold trap
- Service port attack protection in hardware
- Traffic segmentation
- DNS attack protection
- Access Control List
- How ServerIron processes ACLs
- Default ACL action
- Types of IP ACLs
- ACL IDs and entries
- ACL entries and the Layer 4 CAM
- Configuring numbered and named ACLs
- Modifying ACLs
- Displaying a list of ACL entries
- Applying an ACLs to interfaces
- ACL logging
- Dropping all fragments that exactly match a flow-based ACL
- Enabling ACL filtering of fragmented packets
- Enabling hardware filtering for packets denied by flow-based ACLs
- Enabling strict TCP or UDP mode for flow-based ACLs
- ACLs and ICMP
- Using ACLs and NAT on the same interface (flow-based ACLs)
- Displaying ACL bindings
- Troubleshooting rule-based ACLs
- IPv6 Access Control Lists
- Network Address Translation
- Syn-Proxy and DoS Protection
- Understanding Syn-Proxy
- Configuring Syn-Proxy
- DDoS protection
- Configuring a security filter
- Configuring a Generic Rule
- Configuring a rule for common attack types
- Configuring a rule for ip-option attack types
- Configuring a rule for icmp-type options
- Configuring a rule for IPv6 ICMP types
- Configuring a rule for IPv6 ext header types
- Binding the filter to an interface
- Clearing DOS attack statistics
- Clearing all DDOS Filter & Attack Counters
- Logging for DoS attacks
- Displaying security filter statistics
- Address-sweep and port-scan logging
- Secure Socket Layer (SSL) Acceleration
- SSL overview
- SSL acceleration on the ServerIron ADX
- Configuring SSL on a ServerIron ADX
- Basic SSL profile configuration
- Advanced SSL profile configuration
- Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
- Configuration Examples for SSL Termination and Proxy Modes
- SSL debug and troubleshooting commands
- Displaying socket information
110 ServerIron ADX Security Guide
53-1002440-03
Displaying NAT information
4
Displaying NAT translation
To display the currently active NAT translations, enter the following command.
Syntax: show ip nat translation
NOTE
You can enter this command only when you rconsole in to a BP. The command is not supported on
the Main Processor CPU.
nat udp rev ip status zero Indicates the number of times that an error in NAT translation for UDP reverse
traffic has occurred.
nat udp rev usr index null Indicates the number of times that a “port unreachable” message was
generated because the ServerIron could not create a a user session for UDP
reverse traffic.
sw l4 nat corruption Indicates the number of instances of NAT session corruption.
rstp port unavailable Indicates the number of times that a NAT port was not available for RSTP.
RTSP inside alloc same Indicates the number of times that the used port and proposed client port
were the same for RSTP.
RTSP reply port not same Indicates the number of times that the used port and proposed client port
were not the same for RTSP.
Wrong port range Indicates the number of times that the NAT port used a port in the wrong port
range. For example, where a NAT port used a port from the normal port pool
range for RTSP.
Port Pool Parameters
[x] The variable represented by "x" represents the index of the IP address in the
IP NAT pool. For example, [0] refers to the first IP address in the IP pool
(216:220:209:230). [1] refers to the second IP address in this IP pool
(216:220:209:231).
h The value following "h:" refers to the head of the port pool for the IP address
in the IP NAT pool. The head indicates the location in the port pool where the
next port will be allocated from.
t The value following "t:" refers to the tail of the port pool for the IP address in
the IP NAT pool. The tail indicates the location in the port pool where the next
port will be freed from.
T The value following "T:" refers to the total number of ports in the port pool for
that IP address in the IP NAT pool.
f The value following "f:" refers to the number of free ports in the port pool for
this IP address.
TABLE 7 Display fields for show ip nat statistics (Continued)
This field... Displays...
ServerIronADX(1/1)# show ip nat translation
Pro Inside global Inside local Outside local Outside global
tcp 10.1.1.92:11021 5.1.1.2:32784 10.1.1.1:23 10.1.1.1:23