Recently I was asked how to take a pcap and replay it through a firewall doing NAT. This is actually quite complicated since you’ve got to keep in your head about 4 different variables as well as a complicated test bed configuration.
First go read the NAT usage example in the Tcpreplay documentation. Confused yet?
The key trick here is remembering that the “server” in this case is actually the firewall’s untrust interface, but the client remains unchanged. Unlike tools like tomahawk, tcpreplay has no problems handling inline devices which alter packets, unfortunately, if the inline device alters the packets too much (like change the source port), it won’t accept the “responses” the server side generates. The important things to remember are:
- Client side talks to the firewall’s IP/MAC
- Server side talks to the firewall’s MAC and client side IP