PiX Firewall Question - Easy 500pnts

Hi
if it can't find 192.168.2.250 the connection will be  not establish.

first line allows any host to connect to the IP on port 443
second line creates a ststic NAT from inside to the outside where you could connect to the IP via 192.168.2.250 address.

I have no idea but I will make a guess in case it has any value:
I see (inside,outside) 77.x.x.52 192.168.2.250
But the order seems reversed between the words and the numbers.
That is 77.x.x.52 is outside, right?
And 192.168.2.250 is inside, right?
Is that correct?  (As I said, I don't know this notation that well).
If not.......

Refer to link below as it explains access lists, etc:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/12496-28.html

access-list mail permit tcp any host 77.x.x.52 eq 443
Allows any ip/machine on the internet to connect to ip address 77.x.x.52 on port 443 (https).
static (inside,outside) 77.x.x.52 192.168.2.250 netmask 255.255.255.255 0 0
Links the public ip 77.x.x.52 1:1 to the private (inside) ip address 192.168.2.250, so all connections that are allowed to 77.x.x.52 by means of the access-list command will get to 192.168.2.250.
Effectively this means that https connections (port 443) from the internet to ip 77.x.x.52 will go through the firewall to the internal host with ip 192.168.2.250.

The order is correct,

In a pre 8.3 static command the syntax is

static (inside,outside) {outside ip} {inside ip} netmask {matching subnet{

Ok, re-read the question....

but what does it do when it get there
See my previous anser: it connects through to port 443 on host 192.168.2.250.

and what happens if it can't find 192.168.2.250
Nothing happens. If host 192.168.2.250 isn't there, there can't be a connection to 192.168.2.250.

There should be no host with IP 192.168.2.250 as the firewall uses that for mapping to the internet IP.  If you have a host with that IP then you have a problem.  What the rule means is that if anyone goes to 192.168.2.250 then the firewall will send it to the internet IP address.

but what does it do when it get there and what happens if it can't find 192.168.2.250.

Either something responds on port 443 at that internal address (192.168.2.250) or something does not. Request either gets a handshake, or, packet is dropped.

@Mohammed Khawaja:

Not sure why you say this, you want a host at ip 192.168.2.250 because the firewall is forwarding https traffic to it. If there's no host then there is no need for these two lines.

Furthermore: What the rule means is that if anyone goes to 192.168.2.250 then the firewall will send it to the internet IP address.
That's incrorrect,
static (inside,outside) 77.x.x.52 192.168.2.250 netmask 255.255.255.255 0 0
Creates a 1:1 static nat translation between the public and private ip. So traffic destined for the public address and allowed by the ACL(s) will go to the private ip. The other way round this means that all traffic from 192.168.2.250 and destined for the internet will be NATted to 77.x.x.52 instead of the ip defined by the global and nat statements.

No, what i am saying is that the IP 192.168.2.250 is actually the firewall.   it will accept connections and then route them to the Internet IP 77.x.x.52.  This way you are accessing the server on the Internet with an IP on your network.

I'm afraid you got it wrong (and the wrong way around).

Have a look at: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_static.html
For some insight.

(also for those who are interested)

77.x.x.52 is outside - 192.168.2.250 is inside and was my old domain controller maybe it was there for remote access I suppose.

Answered my question

Thx 4 the points.
B.t.w. cleared out the public IP's