PiX Firewall Question - Easy 500pnts

Can someone tell me what the two line below actually?

I know 443 coming from our external host  77.x.x.52 in getting route to our internal host of 192.168.2.250 - but what does it do when it get there and what happens if it can't find 192.168.2.250.

access-list mail permit tcp any host 77.x.x.52 eq 443
static (inside,outside) 77.x.x.52 192.168.2.250 netmask 255.255.255.255 0 0

Thanks

Ian.
Ian PriceIT ManagerAsked:
Who is Participating?
 
Ernie BeekConnect With a Mentor ExpertCommented:
Remote access would have been for example tcp port 3389 (RDP). This is HTTPS.
But if there is no machine at that address anymore or another one I advise to remove these entries or make sure it's also needed for the new machine.
0
 
Alexey KomarovChief Project EngineerCommented:
Hi
if it can't find 192.168.2.250 the connection will be  not establish.
0
 
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
first line allows any host to connect to the IP on port 443
second line creates a ststic NAT from inside to the outside where you could connect to the IP via 192.168.2.250 address.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
Fred MarshallPrincipalCommented:
I have no idea but I will make a guess in case it has any value:
I see (inside,outside) 77.x.x.52 192.168.2.250
But the order seems reversed between the words and the numbers.
That is 77.x.x.52 is outside, right?
And 192.168.2.250 is inside, right?
Is that correct?  (As I said, I don't know this notation that well).
If not.......
0
 
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
0
 
Ernie BeekExpertCommented:
access-list mail permit tcp any host 77.x.x.52 eq 443
Allows any ip/machine on the internet to connect to ip address 77.x.x.52 on port 443 (https).
static (inside,outside) 77.x.x.52 192.168.2.250 netmask 255.255.255.255 0 0
Links the public ip 77.x.x.52 1:1 to the private (inside) ip address 192.168.2.250, so all connections that are allowed to 77.x.x.52 by means of the access-list command will get to 192.168.2.250.
Effectively this means that https connections (port 443) from the internet to ip 77.x.x.52 will go through the firewall to the internal host with ip 192.168.2.250.
0
 
Pete LongTechnical ConsultantCommented:
The order is correct,

In a pre 8.3 static command the syntax is

static (inside,outside) {outside ip} {inside ip} netmask {matching subnet{
0
 
Ernie BeekExpertCommented:
Ok, re-read the question....

but what does it do when it get there
See my previous anser: it connects through to port 443 on host 192.168.2.250.

and what happens if it can't find 192.168.2.250
Nothing happens. If host 192.168.2.250 isn't there, there can't be a connection to 192.168.2.250.
0
 
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
There should be no host with IP 192.168.2.250 as the firewall uses that for mapping to the internet IP.  If you have a host with that IP then you have a problem.  What the rule means is that if anyone goes to 192.168.2.250 then the firewall will send it to the internet IP address.
0
 
Gareth GudgerCommented:
but what does it do when it get there and what happens if it can't find 192.168.2.250.

Either something responds on port 443 at that internal address (192.168.2.250) or something does not. Request either gets a handshake, or, packet is dropped.
0
 
Ernie BeekExpertCommented:
@Mohammed Khawaja:

Not sure why you say this, you want a host at ip 192.168.2.250 because the firewall is forwarding https traffic to it. If there's no host then there is no need for these two lines.

Furthermore: What the rule means is that if anyone goes to 192.168.2.250 then the firewall will send it to the internet IP address.
That's incrorrect,
static (inside,outside) 77.x.x.52 192.168.2.250 netmask 255.255.255.255 0 0
Creates a 1:1 static nat translation between the public and private ip. So traffic destined for the public address and allowed by the ACL(s) will go to the private ip. The other way round this means that all traffic from 192.168.2.250 and destined for the internet will be NATted to 77.x.x.52 instead of the ip defined by the global and nat statements.
0
 
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
No, what i am saying is that the IP 192.168.2.250 is actually the firewall.   it will accept connections and then route them to the Internet IP 77.x.x.52.  This way you are accessing the server on the Internet with an IP on your network.
0
 
Ernie BeekExpertCommented:
I'm afraid you got it wrong (and the wrong way around).

Have a look at: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_static.html
For some insight.

(also for those who are interested)
0
 
Ian PriceIT ManagerAuthor Commented:
77.x.x.52 is outside - 192.168.2.250 is inside and was my old domain controller maybe it was there for remote access I suppose.
0
 
Ian PriceIT ManagerAuthor Commented:
Answered my question
0
 
Ernie BeekExpertCommented:
Thx 4 the points.
B.t.w. cleared out the public IP's
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.