Solved

PiX Firewall Question - Easy 500pnts

Posted on 2014-04-26
16
337 Views
Last Modified: 2014-04-29
Can someone tell me what the two line below actually?

I know 443 coming from our external host  77.x.x.52 in getting route to our internal host of 192.168.2.250 - but what does it do when it get there and what happens if it can't find 192.168.2.250.

access-list mail permit tcp any host 77.x.x.52 eq 443
static (inside,outside) 77.x.x.52 192.168.2.250 netmask 255.255.255.255 0 0

Thanks

Ian.
0
Comment
Question by:ise438
  • 6
  • 4
  • 2
  • +4
16 Comments
 
LVL 4

Expert Comment

by:alexeykomarov
Comment Utility
Hi
if it can't find 192.168.2.250 the connection will be  not establish.
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
Comment Utility
first line allows any host to connect to the IP on port 443
second line creates a ststic NAT from inside to the outside where you could connect to the IP via 192.168.2.250 address.
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
I have no idea but I will make a guess in case it has any value:
I see (inside,outside) 77.x.x.52 192.168.2.250
But the order seems reversed between the words and the numbers.
That is 77.x.x.52 is outside, right?
And 192.168.2.250 is inside, right?
Is that correct?  (As I said, I don't know this notation that well).
If not.......
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
Comment Utility
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
access-list mail permit tcp any host 77.x.x.52 eq 443
Allows any ip/machine on the internet to connect to ip address 77.x.x.52 on port 443 (https).
static (inside,outside) 77.x.x.52 192.168.2.250 netmask 255.255.255.255 0 0
Links the public ip 77.x.x.52 1:1 to the private (inside) ip address 192.168.2.250, so all connections that are allowed to 77.x.x.52 by means of the access-list command will get to 192.168.2.250.
Effectively this means that https connections (port 443) from the internet to ip 77.x.x.52 will go through the firewall to the internal host with ip 192.168.2.250.
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
The order is correct,

In a pre 8.3 static command the syntax is

static (inside,outside) {outside ip} {inside ip} netmask {matching subnet{
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Ok, re-read the question....

but what does it do when it get there
See my previous anser: it connects through to port 443 on host 192.168.2.250.

and what happens if it can't find 192.168.2.250
Nothing happens. If host 192.168.2.250 isn't there, there can't be a connection to 192.168.2.250.
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
Comment Utility
There should be no host with IP 192.168.2.250 as the firewall uses that for mapping to the internet IP.  If you have a host with that IP then you have a problem.  What the rule means is that if anyone goes to 192.168.2.250 then the firewall will send it to the internet IP address.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
but what does it do when it get there and what happens if it can't find 192.168.2.250.

Either something responds on port 443 at that internal address (192.168.2.250) or something does not. Request either gets a handshake, or, packet is dropped.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
@Mohammed Khawaja:

Not sure why you say this, you want a host at ip 192.168.2.250 because the firewall is forwarding https traffic to it. If there's no host then there is no need for these two lines.

Furthermore: What the rule means is that if anyone goes to 192.168.2.250 then the firewall will send it to the internet IP address.
That's incrorrect,
static (inside,outside) 77.x.x.52 192.168.2.250 netmask 255.255.255.255 0 0
Creates a 1:1 static nat translation between the public and private ip. So traffic destined for the public address and allowed by the ACL(s) will go to the private ip. The other way round this means that all traffic from 192.168.2.250 and destined for the internet will be NATted to 77.x.x.52 instead of the ip defined by the global and nat statements.
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
Comment Utility
No, what i am saying is that the IP 192.168.2.250 is actually the firewall.   it will accept connections and then route them to the Internet IP 77.x.x.52.  This way you are accessing the server on the Internet with an IP on your network.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
I'm afraid you got it wrong (and the wrong way around).

Have a look at: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_static.html
For some insight.

(also for those who are interested)
0
 

Author Comment

by:ise438
Comment Utility
77.x.x.52 is outside - 192.168.2.250 is inside and was my old domain controller maybe it was there for remote access I suppose.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
Comment Utility
Remote access would have been for example tcp port 3389 (RDP). This is HTTPS.
But if there is no machine at that address anymore or another one I advise to remove these entries or make sure it's also needed for the new machine.
0
 

Author Closing Comment

by:ise438
Comment Utility
Answered my question
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Thx 4 the points.
B.t.w. cleared out the public IP's
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now