Checking the Server Map

Server map entries are automatically generated by the device. By checking the server map entry, you can determine whether NAT and ASPF are correctly configured, which helps you to diagnose faults.

Prerequisites

Server map entries are generated if any of the following conditions is met.

Configuring ASPF is complete, and traffic flows through the device.
Configuring a NAT Server is complete.
Configuring Source NAT in the Mode of No-PAT is complete.

If ASPF, NAT server mapping, or source NAT No-PAT is configured and traffic cannot be forwarded, you can check whether the server map is correctly generated. If the server map or parameters are incorrect, the ASPF or NAT function may be incorrectly configured.

Procedure

Display the current IPv4 server map entries on the device.

The format of the server map entry is as follows:

Type: TYPE: SRCADDR -> DSTADDR, Zone: ZONE-NAME,
Protocol: PROTOCOL, Pool: POOLID, Section: SECTIONID, Left-Time: LEFT-TIME
VPN: SRCVPN -> DSTVPN

Table 1 describes the meaning of each parameter. Parameters in italics very with actual situations.

**Table 1** Parameter description of server map entries
Parameter	Description
TYPE	The following types of server map entries are available: SA Entries generated after multi-channel protocol packets are identified by SA ASPF Server map entries generated when ASPF is enabled to forward the traffic of multi-channel protocols SA ASPF Entries generated after multi-channel protocol packets are identified by SA and forwarded by ASPF STUN Forward server map entries generated when ASPF is enabled to forward the traffic of STUN protocols STUN Reverse Reverse server map entries generated when ASPF is used to forward the traffic of STUN protocols NAT Server Forward server map entries generated when NAT static mapping is enabled NAT Server Reverse Reverse server map entries generated when NAT static mapping is enabled No-Pat Forward server map entries generated when NAT No-PAT is enabled No-Pat Reverse Reverse server map entries generated when NAT No-PAT is enabled SLB Forward server map entries generated when server load balancing function is enabled SLB Reverse Reverse server map entries generated when server load balancing function is enabled FullCone Dst: Forward server mapping entries generated when traffic matches a NAT policy after full-cone 3-tuple NAT is configured FullCone Src: Reverse server mapping entries generated when traffic matches a NAT policy after full-cone 3-tuple NAT is configured NAT64 Static: Static server mapping entries generated when static NAT64 is configured Unknown Unknown type entries
SRCADDR -> DSTADDR	Source and destination IP addresses in the entry, which are displayed as any if no specific sources or destinations are involved. The address format is x.x.x.x:portx[y.y.y.y:porty]. portx is the source port and porty the destination port. The address in the square brackets is the post-NAT IP address. If NAT is not implemented, no content is displayed in the square brackets. If the port is not required or not translated, :port is not displayed. NOTE: For the entry of the SLB type, a destination IP address may be translated into multiple addresses. Therefore, obverse entries generated when the server load balancing function is enabled do not display the post-NAT addresses. And the format of destination IP address is x.x.x.x:port[---].
Zone: ZONE-NAME	For server map entries generated when NAT server mapping is enabled, the zone is the security zone of the global IP address of NAT server mapping. For the entries generated when NAT No-PAT is enabled, the zone is the security zone of the destination IP address. For other types of server map entries, --- is displayed.
Protocol: PROTOCOL(Appro: APPPRO)	Protocol in the entry: PROTOCOL specifies the transport-layer protocol, and APPPRO specifies the application-layer protocol. If no protocol is specified, any is displayed.
Pool: POOLID	ID of the address pool used for NAT The ID is displayed in the entry generated when NAT No-PAT is enabled, and --- is displayed in other types of entries.
Section: SECTIONID	ID of the address section used for NAT The ID is displayed in the entry generated when NAT No-PAT is enabled, and --- is displayed in other types of entries.
Left-Time: HH:MM:SS	Remaining lifetime of the entry For entries that do not age, --- is displayed.
VPN: SRCVPN -> DSTVPN	Source and destination VPN instances for NAT

Display the IPv6 server map entries on the device.
display firewall ipv6 server-map [ all-systems | vsys { vsys | public } ] [ nat64 | aspf ] [ dynamic | ipv6-address ipv6-address | static ] [ slot slot-id cpu cpu-id

Example

Check the IPv4 server map table. The command output shows that NAT static mapping is configured to translate port 21 of the intranet server at 10.1.1.2 to port 21 at public IP address 10.10.1.100, and the server provides FTP services only.

<FW> display firewall server-map
 Type: Nat Server,  ANY -> 10.10.1.100:21[10.1.1.2:21],  Zone: trust ,  protocol:---                                                  
 Vpn: public -> public  
 Type: Nat Server Reverse,  10.1.1.2[10.10.1.100] -> ANY,  Zone: trust ,  protocol:---                                           
 Vpn: public -> public,  counter: 1

Check the IPv6 server map. The command output shows that in active mode, the FTP client BBBB::2 opens data port 1036 to the FTP server AAAA::2, and data packets sent from the server to access the client's port 1036 match the server map and are permitted.

<FW> display firewall ipv6 server-map
Current total IPv6 server maps: 1                                                                                                                             
-----------------------------------------------------------------                                                                                               
 Source Address      : AAAA::2                                                  
 Destination Address : BBBB::2                                                  
 Source Port         : 0                                                        
 Destination Port    : 1036                                                     
 Protocol            : tcp                                                      
 APP Protocol        : FTP-DATA                                                 
 APPID               : ---                                                      
 TTL                 : 00:00:15                                                 
 Left Time           : 00:00:12

Follow-up Procedure

To enable the function of sending logs and alarms when the usage of server-map entries reaches the threshold, run the firewall dynamic-resource used-up alarm server-map enable [ threshold threshold ] command.
To enable the function of sending logs and alarms when the usage of IPv6 server-map entries reaches the threshold, run the firewall dynamic-resource used-up alarm ipv6 server-map enable [ threshold threshold ] command.