One of the more difficult things to understand in a firewall is network address translation (NAT). There are so many varieties: NAT, PAT, twice-NAT, bidirectional NAT, dynamic NAT.  It’s difficult to keep them all straight.  You never know if a particular IP is mapped or real.  Does the IP in an ACL refer to an actual host or to the packet coming in from the Internet?

The recent release of Athena FirePAC v4.2 includes a new capability called the NAT Browser. This feature displays all of the address translations in your config in a very tabular format that makes it very easy to understand what translations are being applied to data traffic passing through your firewall.

You can find the NAT Browser in FirePAC by double-clicking on a firewall in your inventory.  This will open the Firewall Details view on the config and display the Security Rules tab.  Next to the Security Rules tab is the new NAT Browser tab.  Click on the screenshot below to see a full-size image.

The table depicts all of the address translations in the configuration in a standard format.  The Source, Destination, and Service columns indicate the original address and service values prior to the address translation being applied.  The Trns. Src. (translated source), Trns. Dst. (translated destination), and Trns. Svc. (translated service) columns indicate the address and service values after the address translation has been applied.  On the far right are shown the actual CLI commands in the configuration that apply the indicated translation. At the top of the view are fields that let you search the address translations for specified IP and port values.  You can search for either original or translated values.  Not only does this make it trivial to determine what translation will be applied to a given IP address, but you can determine the specific commands that make it so as well.

I expect you’ll find this new feature very useful in decyphering what’s going on inside your firewall.  Check it out and let me know what you think.

Tags: Athena FirePAC, NAT, Network Address Translation

This entry was posted on Friday, November 19th, 2010 at 5:39 pm and is filed under Athena Insights, Firewall Tips. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.