ProCurve# show ip policy-class
Policy-class "Inside":
Entry 1 - nat source list Internet address 10.1.1.1 overload
Policy-class "Outside":
Entry 1 - allow list Region
Entry 2 - nat destination list Webserver address 192.168.2.11
Entry 3 - nat destination list FTPserver address 192.168.2.12
Figure 6-6. Displaying All the ACPs Configured on the Router
As Figure 6-6 shows, entries for each ACP are displayed in the order in which
they will be implemented. When an ACP is not enforcing your policies in the
way you expected, you may have entered commands in the wrong order.
For example, if you have included an entry to NAT an entire subnet before an
entry to deny specific hosts on that subnet, the Secure Router OS firewall will
match all packets from the subnet to the NAT entry. The firewall will NAT and
forward the packets, and the deny entry will not take effect.
Viewing Access Policy Sessions
After you enable the firewall and assign an ACP to an interface, the Secure
Router OS firewall checks all the packets entering that interface. When traffic
matches a permit statement in an ACP, the ProCurve Secure Router records
information about the session established between the packet's source and
destination. To view this information, move to the enable mode context and
enter:
ProCurve# show ip policy-sessions
The Secure Router OS lists each ACP (policy class) by name. Under a specific
policy, you can view the traffic that matched this policy as it arrived on the
interface. You can also view information about the traffic, such as:
source IP address
source port
destination IP address
destination port
If the traffic has been manipulated using NAT, the NAT IP address and port
are also listed. (See Figure 6-7.)
Configuring Network Address Translation
Viewing ACLs and ACPs
6-19