Summary:

  • Filters

  • Stages

  • Capture Files

Example using: anything to 128.121.12.62 > translated to 10.83.101.61; tesing from 108.44.231.211

Details:

1. Set up PCAPs

  • Filters

1.jpg
2.jpg

Filter 1. I want to check traffic from 108.44.231.211 to 128.121.12.62

Filter 2. In case something happens to the  returning packet (i.e. upstream that causes it to fail matching NAT)

  • Stages

3.jpg
  • drop stage is where packets get discarded

  • receive stage captures the packets as they ingress the firewall before they go into the firewall engine. When NAT is configured, these packets will be pre-NAT.

 

  • transmit stage captures packets how they egress out of the firewall engine. If NAT is configured, these will be post-NAT.

 

  • firewall stage captures packets in the firewall stage.

  • Capture Files (click to download)

4.jpg

drop.pcap - note this was dropped due to my telnet testing on port 1234

5.jpg

receive.pcap

- This is where you see 3-way handshake

- In case this, NAT is configured, so this is pre-NAT. Note the syn-ack is actually from the real IP not the pub IP

4.jpg

transmit.pcap

- Responses from the destination 

- In case this, NAT is configured, so this is post-NAT. Note the syn-ack is actually from the pub IP not the private IP

4.jpg

fw.pcap - when the packet has a session match or a first packet with a session is successfully created

4.jpg