Summary:
-
Filters
-
Stages
-
Capture Files
Example using: anything to 128.121.12.62 > translated to 10.83.101.61; tesing from 108.44.231.211
Details:
1. Set up PCAPs
-
Filters
Filter 1. I want to check traffic from 108.44.231.211 to 128.121.12.62
Filter 2. In case something happens to the returning packet (i.e. upstream that causes it to fail matching NAT)
-
Stages
-
drop stage is where packets get discarded
-
receive stage captures the packets as they ingress the firewall before they go into the firewall engine. When NAT is configured, these packets will be pre-NAT.
-
transmit stage captures packets how they egress out of the firewall engine. If NAT is configured, these will be post-NAT.
-
firewall stage captures packets in the firewall stage.
-
Capture Files (click to download)
drop.pcap - note this was dropped due to my telnet testing on port 1234
receive.pcap
- This is where you see 3-way handshake
- In case this, NAT is configured, so this is pre-NAT. Note the syn-ack is actually from the real IP not the pub IP
transmit.pcap
- Responses from the destination
- In case this, NAT is configured, so this is post-NAT. Note the syn-ack is actually from the pub IP not the private IP
fw.pcap - when the packet has a session match or a first packet with a session is successfully created