?
Solved

PiX Firewall Question - Easy 500pnts

Posted on 2014-04-26
16
Medium Priority
?
349 Views
Last Modified: 2014-04-29
Can someone tell me what the two line below actually?

I know 443 coming from our external host  77.x.x.52 in getting route to our internal host of 192.168.2.250 - but what does it do when it get there and what happens if it can't find 192.168.2.250.

access-list mail permit tcp any host 77.x.x.52 eq 443
static (inside,outside) 77.x.x.52 192.168.2.250 netmask 255.255.255.255 0 0

Thanks

Ian.
0
Comment
Question by:ise438
  • 6
  • 4
  • 2
  • +4
16 Comments
 
LVL 5

Expert Comment

by:Alexey Komarov
ID: 40024861
Hi
if it can't find 192.168.2.250 the connection will be  not establish.
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40024881
first line allows any host to connect to the IP on port 443
second line creates a ststic NAT from inside to the outside where you could connect to the IP via 192.168.2.250 address.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40024888
I have no idea but I will make a guess in case it has any value:
I see (inside,outside) 77.x.x.52 192.168.2.250
But the order seems reversed between the words and the numbers.
That is 77.x.x.52 is outside, right?
And 192.168.2.250 is inside, right?
Is that correct?  (As I said, I don't know this notation that well).
If not.......
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40024898
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 40024925
access-list mail permit tcp any host 77.x.x.52 eq 443
Allows any ip/machine on the internet to connect to ip address 77.x.x.52 on port 443 (https).
static (inside,outside) 77.x.x.52 192.168.2.250 netmask 255.255.255.255 0 0
Links the public ip 77.x.x.52 1:1 to the private (inside) ip address 192.168.2.250, so all connections that are allowed to 77.x.x.52 by means of the access-list command will get to 192.168.2.250.
Effectively this means that https connections (port 443) from the internet to ip 77.x.x.52 will go through the firewall to the internal host with ip 192.168.2.250.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40025029
The order is correct,

In a pre 8.3 static command the syntax is

static (inside,outside) {outside ip} {inside ip} netmask {matching subnet{
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 40025103
Ok, re-read the question....

but what does it do when it get there
See my previous anser: it connects through to port 443 on host 192.168.2.250.

and what happens if it can't find 192.168.2.250
Nothing happens. If host 192.168.2.250 isn't there, there can't be a connection to 192.168.2.250.
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40025110
There should be no host with IP 192.168.2.250 as the firewall uses that for mapping to the internet IP.  If you have a host with that IP then you have a problem.  What the rule means is that if anyone goes to 192.168.2.250 then the firewall will send it to the internet IP address.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40025274
but what does it do when it get there and what happens if it can't find 192.168.2.250.

Either something responds on port 443 at that internal address (192.168.2.250) or something does not. Request either gets a handshake, or, packet is dropped.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 40025814
@Mohammed Khawaja:

Not sure why you say this, you want a host at ip 192.168.2.250 because the firewall is forwarding https traffic to it. If there's no host then there is no need for these two lines.

Furthermore: What the rule means is that if anyone goes to 192.168.2.250 then the firewall will send it to the internet IP address.
That's incrorrect,
static (inside,outside) 77.x.x.52 192.168.2.250 netmask 255.255.255.255 0 0
Creates a 1:1 static nat translation between the public and private ip. So traffic destined for the public address and allowed by the ACL(s) will go to the private ip. The other way round this means that all traffic from 192.168.2.250 and destined for the internet will be NATted to 77.x.x.52 instead of the ip defined by the global and nat statements.
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40026090
No, what i am saying is that the IP 192.168.2.250 is actually the firewall.   it will accept connections and then route them to the Internet IP 77.x.x.52.  This way you are accessing the server on the Internet with an IP on your network.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 40026099
I'm afraid you got it wrong (and the wrong way around).

Have a look at: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_static.html
For some insight.

(also for those who are interested)
0
 

Author Comment

by:ise438
ID: 40026653
77.x.x.52 is outside - 192.168.2.250 is inside and was my old domain controller maybe it was there for remote access I suppose.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 40026676
Remote access would have been for example tcp port 3389 (RDP). This is HTTPS.
But if there is no machine at that address anymore or another one I advise to remove these entries or make sure it's also needed for the new machine.
0
 

Author Closing Comment

by:ise438
ID: 40028854
Answered my question
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 40028937
Thx 4 the points.
B.t.w. cleared out the public IP's
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month17 days, 11 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question