Troubleshooting NAT with a Packet Sniffer
To troubleshoot NAT, you should first verify that each necessary step has been performed.
- Validate that an ARP entry exists for the translated IP (or that the translated IP is somehow being routed to the firewall).
- Validate that a static host route exists on the firewall to route the translated IP address to either the untranslated address or the next hop address if the real system is more than one hop away from the firewall.
- Validate that the rules are set up correctly. Set any security policy rule that applies to a NATted host to track long, and ensure that address translation is happening as you expect.
Wherever a verification of the configuration fails, a packet sniffer can be your friend. The remainder ...