beautypg.com

Amer Networks E5Web GUI User Manual

Page 249

background image

Incoming Packet Simulation with -srcif

Instead of testing the responsiveness of a remote host, the cOS Core ping command can be used
to simulate an incoming ICMP ping message and thereby test the locally configured IP
rules/policies and routes. This is done by using the srcif option. For example:

Device:/> ping 10.6.58.10 -srcif=wan -verbose

This command will construct an ICMP packet with destination IP 10.6.58.10 and cOS Core will
behave as though the packet has arrived on the specified source interface (in this case, wan).

As the packet appears to arrive on the interface specified, the administrator can observe the
behavior of the configuration and which IP rules/policies and routes are triggered. The IP address
specified could be an actual host in which case the packet will be forwarded to it through the
security gateway.

If there is no route that matches the combination of source IP and receiving interface (the -srcif
parameter), the packet it will be dropped by the default access rule. For example:

Device:/> ping 10.6.58.10 -srcif=wan -verbose

Rule and routing information for ping:
PBR selected by rule "iface_member_main" - PBR table "main"

DROPPED by rule "Default_Access_Rule"

For the ping not to be dropped, there must not only be a route that matches the IP address and
interface combination but also an IP rule that allows the packet on that interface. If administrator
simulates the packet coming from the public Internet on the wan interface and going to some
host on the protected lan_net, the allowing IP rule might look similar to the following:

Action

Source
Interface

Source
Network

Destination
Interface

Destination
Network

Service

NAT

lan

lan_net

wan_net

all-nets

ping-inbound

If there is no IP rule or IP policy that permits the packet it will also be dropped. For example:

Device:/> ping 10.6.58.10 -srcif=wan -verbose

Rule and routing information for ping:
PBR selected by rule "iface_member_main" - PBR table "main"

DROPPED by rule "Default_Rule"

The -srcif option is usually used in combination with the -srcip option described next.

Specifying the Source IP

It is also possible to construct and send out an ICMP ping packet with a specific source IP address
using the -srcip option. For example:

Device:/> ping 10.6.58.10 -srcip=192.168.3.1 -verbose

Again, this is a feature that is intended for use by administrators for network testing purposes.

Note: ALGs cannot be used alongside -srcif or -srcip

A restriction with the -srcif and -srcip options is that ALGs cannot be used with the IP
rules that are triggered.

Chapter 3: Fundamentals

249

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: