Use the -h option on the ipsec -f command to display any NRFs associated with the displayed filters. After two clients behind the security gateway connect to host 9.3.3.3 using FTP, the NRFs might look like the following display. (The display is truncated to include only the NRFs.)
FilterName: Rule2C
FilterNameExtension: 1
GroupName: n/a
LocalStartActionName: StartZoneC
VpnActionName: Gold-TunnelMode
TunnelID: Y2
Type: NRF
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Outbound
OnDemand: No
SecurityClass: 0
Logging: All
LogLimit: n/a
Protocol: TCP(6)
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: None
ProtocolGranularity: Rule
SourceAddress: 9.3.3.3
SourceAddressPrefix: n/a
SourceAddressRange: n/a
SourceAddressGranularity: Packet
SourcePort: 21
SourcePortRange: n/a
SourcePortGranularity: Rule
DestAddress: 9.5.5.5
DestAddressPrefix: n/a
DestAddressRange: n/a
DestAddressGranularity: Packet
DestPort: 34732
DestPortRange: n/a
DestPortGranularity: Rule
OrigRmtConnPort: 34732
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2010/02/16 10:19:52
UpdateTime: 2010/02/16 10:19:52
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: Rule2C
FilterNameExtension: 1
GroupName: n/a
LocalStartActionName: StartZoneC
VpnActionName: Gold-TunnelMode
TunnelID: Y3
Type: NRF
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Outbound
OnDemand: No
SecurityClass: 0
Logging: All
LogLimit: n/a
Protocol: TCP(6)
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: None
ProtocolGranularity: Rule
SourceAddress: 9.3.3.3
SourceAddressPrefix: n/a
SourceAddressRange: n/a
SourceAddressGranularity: Packet
SourcePort: 21
SourcePortRange: n/a
SourcePortGranularity: Rule
DestAddress: 9.5.5.5
DestAddressPrefix: n/a
DestAddressRange: n/a
DestAddressGranularity: Packet
DestPort: 65535
DestPortRange: n/a
DestPortGranularity: Rule
OrigRmtConnPort: 34732
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2010/02/16 10:19:52
UpdateTime: 2010/02/16 10:19:52
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: Rule2C
FilterNameExtension: 2
GroupName: n/a
LocalStartActionName: StartZoneC
VpnActionName: Gold-TunnelMode
TunnelID: Y2
Type: NRF
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Inbound
OnDemand: No
SecurityClass: 0
Logging: All
LogLimit: n/a
Protocol: TCP(6)
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: None
ProtocolGranularity: Rule
SourceAddress: 9.5.5.5
SourceAddressPrefix: n/a
SourceAddressRange: n/a
SourceAddressGranularity: Packet
SourcePort: 34732
SourcePortRange: n/a
SourcePortGranularity: Rule
DestAddress: 9.3.3.3
DestAddressPrefix: n/a
DestAddressRange: n/a
DestAddressGranularity: Packet
DestPort: 21
DestPortRange: n/a
DestPortGranularity: Rule
OrigRmtConnPort: 34732
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2010/02/16 10:19:52
UpdateTime: 2010/02/16 10:19:52
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: Rule2C
FilterNameExtension: 2
GroupName: n/a
LocalStartActionName: StartZoneC
VpnActionName: Gold-TunnelMode
TunnelID: Y3
Type: NRF
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Inbound
OnDemand: No
SecurityClass: 0
Logging: All
LogLimit: n/a
Protocol: TCP(6)
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: None
ProtocolGranularity: Rule
SourceAddress: 9.5.5.5
SourceAddressPrefix: n/a
SourceAddressRange: n/a
SourceAddressGranularity: Packet
SourcePort: 65535
SourcePortRange: n/a
SourcePortGranularity: Rule
DestAddress: 9.3.3.3
DestAddressPrefix: n/a
DestAddressRange: n/a
DestAddressGranularity: Packet
DestPort: 21
DestPortRange: n/a
DestPortGranularity: Rule
OrigRmtConnPort: 34732
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2010/02/16 10:19:52
UpdateTime: 2010/02/16 10:19:52
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************There are two NRF inbound/outbound entry pairs associated with the NATT anchor. In this example, two clients behind the security gateway have an FTP connection with host 9.3.3.3. The first outbound NRF entry is for:
source address 9.3.3.3, source port 21
destination address 9.5.5.5, destination port 34732
protocol TCPThe destination port is shown in the DestPort field. This value can be a translated value. The OrigRmtConnPort field indicates the original remote connection port, prior to remote port translation by Communications Server. In this example, the first outbound NRF shows that DestPort and OrigRmtConnPort are both 34732. For more information, see Remote port translation.
The second outbound NRF entry is for:
source address 9.3.3.3, source port 21
destination address 9.5.5.5, destination port 65535
protocol TCPThe original remote connection port (OrigRmtConnPort) is 34732. Because the values in DestPort and OrigRmtConnPort do not match, you can tell that the value was translated by Communications Server's remote port translation function. For more information, see Remote port translation.
The TunnelID field provides information on which phase 2 Security Association the traffic will be sent over. In this example, the phase two Security Associations are identified by the labels Y2 and Y3 respectively.