Solved

PiX Firewall Question - Easy 500pnts

Posted on 2014-04-26
16
339 Views
Last Modified: 2014-04-29
Can someone tell me what the two line below actually?

I know 443 coming from our external host  77.x.x.52 in getting route to our internal host of 192.168.2.250 - but what does it do when it get there and what happens if it can't find 192.168.2.250.

access-list mail permit tcp any host 77.x.x.52 eq 443
static (inside,outside) 77.x.x.52 192.168.2.250 netmask 255.255.255.255 0 0

Thanks

Ian.
0
Comment
Question by:ise438
  • 6
  • 4
  • 2
  • +4
16 Comments
 
LVL 4

Expert Comment

by:alexeykomarov
ID: 40024861
Hi
if it can't find 192.168.2.250 the connection will be  not establish.
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40024881
first line allows any host to connect to the IP on port 443
second line creates a ststic NAT from inside to the outside where you could connect to the IP via 192.168.2.250 address.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40024888
I have no idea but I will make a guess in case it has any value:
I see (inside,outside) 77.x.x.52 192.168.2.250
But the order seems reversed between the words and the numbers.
That is 77.x.x.52 is outside, right?
And 192.168.2.250 is inside, right?
Is that correct?  (As I said, I don't know this notation that well).
If not.......
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40024898
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 40024925
access-list mail permit tcp any host 77.x.x.52 eq 443
Allows any ip/machine on the internet to connect to ip address 77.x.x.52 on port 443 (https).
static (inside,outside) 77.x.x.52 192.168.2.250 netmask 255.255.255.255 0 0
Links the public ip 77.x.x.52 1:1 to the private (inside) ip address 192.168.2.250, so all connections that are allowed to 77.x.x.52 by means of the access-list command will get to 192.168.2.250.
Effectively this means that https connections (port 443) from the internet to ip 77.x.x.52 will go through the firewall to the internal host with ip 192.168.2.250.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40025029
The order is correct,

In a pre 8.3 static command the syntax is

static (inside,outside) {outside ip} {inside ip} netmask {matching subnet{
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 40025103
Ok, re-read the question....

but what does it do when it get there
See my previous anser: it connects through to port 443 on host 192.168.2.250.

and what happens if it can't find 192.168.2.250
Nothing happens. If host 192.168.2.250 isn't there, there can't be a connection to 192.168.2.250.
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40025110
There should be no host with IP 192.168.2.250 as the firewall uses that for mapping to the internet IP.  If you have a host with that IP then you have a problem.  What the rule means is that if anyone goes to 192.168.2.250 then the firewall will send it to the internet IP address.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40025274
but what does it do when it get there and what happens if it can't find 192.168.2.250.

Either something responds on port 443 at that internal address (192.168.2.250) or something does not. Request either gets a handshake, or, packet is dropped.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 40025814
@Mohammed Khawaja:

Not sure why you say this, you want a host at ip 192.168.2.250 because the firewall is forwarding https traffic to it. If there's no host then there is no need for these two lines.

Furthermore: What the rule means is that if anyone goes to 192.168.2.250 then the firewall will send it to the internet IP address.
That's incrorrect,
static (inside,outside) 77.x.x.52 192.168.2.250 netmask 255.255.255.255 0 0
Creates a 1:1 static nat translation between the public and private ip. So traffic destined for the public address and allowed by the ACL(s) will go to the private ip. The other way round this means that all traffic from 192.168.2.250 and destined for the internet will be NATted to 77.x.x.52 instead of the ip defined by the global and nat statements.
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40026090
No, what i am saying is that the IP 192.168.2.250 is actually the firewall.   it will accept connections and then route them to the Internet IP 77.x.x.52.  This way you are accessing the server on the Internet with an IP on your network.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 40026099
I'm afraid you got it wrong (and the wrong way around).

Have a look at: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_static.html
For some insight.

(also for those who are interested)
0
 

Author Comment

by:ise438
ID: 40026653
77.x.x.52 is outside - 192.168.2.250 is inside and was my old domain controller maybe it was there for remote access I suppose.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 40026676
Remote access would have been for example tcp port 3389 (RDP). This is HTTPS.
But if there is no machine at that address anymore or another one I advise to remove these entries or make sure it's also needed for the new machine.
0
 

Author Closing Comment

by:ise438
ID: 40028854
Answered my question
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 40028937
Thx 4 the points.
B.t.w. cleared out the public IP's
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now