Firewall static statements

Unanswered Question
Jul 6th, 2009

Hi,

Similar to statements put in routers for allowing internet based segment to access services hosted inside the network,firewall uses the static command ( if am correct).

My query is , if the inside server is hosting service on port 344( eg.) then should the static statement include port 344 also . In case if the port is not included will the access go about some default port like http.

Kindly explain.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
suthomas1 Mon, 07/06/2009 - 05:46

Both NAT & access list, i believe is required for externals to access services hosted inside of firewall.

Collin Clark Mon, 07/06/2009 - 05:54

In the first NAT, you translate only a single port-

static (inside,outside) tcp 75.50.95.73 80 192.168.1.5 80 netmask 255.255.255.255

In the second NAT you translate all ports. If you query port 123, it will be translated to port 123.

static (inside,outside) 75.50.95.73 192.168.1.5 netmask 255.255.255.255

Hope that helps.

suthomas1 Mon, 07/06/2009 - 08:20

Thanks.

Is it better to specify the statement as first one , since my understanding says during the connection translation to the local server ip inside the network, request would have to be pushed to the desired service port on that ip as well.

This will ensure the services are properly accessed.

If we use the 2nd statement, wouldnt it cause problems, in the sense that it may sometimes default to port 80 or something default.

Please correct if this is wrong.

Thanks.

kwillacey Mon, 07/06/2009 - 08:26

No it just means that you will be able to access your internal server on any port, it will not default to a specific port. So as long as the server will accept the connection on the port you want to use it will work.

Where as the first statement is more for security purposes or needing to re use that public IP for other static translations.

Collin Clark Mon, 07/06/2009 - 08:26

Nope, no default redirection. 80 always goes to 80, 443 always goes to 443, if the service is unavailable (blocked by ACL), the service just fails and does not redirect to any other port.

suthomas1 Mon, 07/06/2009 - 08:45

fine..so specifying redirection with respect to port only serves me from security viewpoint, but even if i dont specify the port explicity , request should go to the appropriate service.

No hindrance to service.

Thanks.

kwillacey Mon, 07/06/2009 - 08:50

Yeh pretty much but it can still be secure when forwarding all ports as long as your acl is configured correctly.

suthomas1 Mon, 07/06/2009 - 09:09

Ok..that helps..

Now what if i use the first statement but i have two services http & https both listening on the internal server.

Would this cause a problem by not explicitly writing them in rules.

Thanks

Collin Clark Mon, 07/06/2009 - 09:16

You have to create the rules and the statics. The statics build the road and the ACLs are the cops on the road, determining who is allowed on or not.

kwillacey Mon, 07/06/2009 - 09:18

As long as it's configured correctly it should work with no problems as below just like Colin wrote

static (inside,outside) tcp 75.50.95.73 80 192.168.1.5 80 netmask 255.255.255.255

static (inside,outside) tcp 75.50.95.73 443 192.168.1.5 443 netmask 255.255.255.255

OR you can forward all ports and use the acl to specify which ports the server can be accessed on.

static (inside,outside) 75.50.95.73 192.168.1.5 netmask 255.255.255.255

Actions

This Discussion