You want to troubleshoot problems with NAT mode.
For configuration verification use the following command:
get config | incl "int.* nat"
For troubleshooting use the following commands:
debug flow basic get session
Whereas you can switch ScreenOS from route mode to transparent mode by attaching at least one interface to an L2 zone, you can switch ScreenOS from route mode to NAT mode by placing the
Trust interface into NAT mode. NAT mode has relevance only to an interface in the
Trust zone, although it may be configured on any interface, which can be confusing.
set interface e1 zone trust set interface e1 nat set interface e2 zone dmz set interface e2 route set interface e3 zone untrust set interface e3 route
In other words, you need to check whether at least one interface in the
Trust zone is in NAT mode:
get config | incl "int.* nat"set interface wireless2 nat set interface loopback.1 nat
The following conditions exist:
NAT mode has an effect only on interfaces in the
If all zones are in the
trust-vr, which is the default, NAT mode enables PAT to the egress interface IP of interfaces in the
DMZ zone, regardless of whether those interfaces are in NAT or ROUTE mode. It has no effect on any flows into or out of custom zones regardless of the zone membership of the ingress or egress interfaces and their mode settings.
Trust zone is in the
trust-vr, NAT mode enables PAT to all other zones in the