07-06-2009 04:50 AM - edited 03-11-2019 08:51 AM
Hi,
Similar to statements put in routers for allowing internet based segment to access services hosted inside the network,firewall uses the static command ( if am correct).
My query is , if the inside server is hosting service on port 344( eg.) then should the static statement include port 344 also . In case if the port is not included will the access go about some default port like http.
Kindly explain.
Thanks.
07-06-2009 05:10 AM
What are yhou refering to NAT or Access-lists?
07-06-2009 05:46 AM
Both NAT & access list, i believe is required for externals to access services hosted inside of firewall.
07-06-2009 05:54 AM
In the first NAT, you translate only a single port-
static (inside,outside) tcp 75.50.95.73 80 192.168.1.5 80 netmask 255.255.255.255
In the second NAT you translate all ports. If you query port 123, it will be translated to port 123.
static (inside,outside) 75.50.95.73 192.168.1.5 netmask 255.255.255.255
Hope that helps.
07-06-2009 08:20 AM
Thanks.
Is it better to specify the statement as first one , since my understanding says during the connection translation to the local server ip inside the network, request would have to be pushed to the desired service port on that ip as well.
This will ensure the services are properly accessed.
If we use the 2nd statement, wouldnt it cause problems, in the sense that it may sometimes default to port 80 or something default.
Please correct if this is wrong.
Thanks.
07-06-2009 08:26 AM
No it just means that you will be able to access your internal server on any port, it will not default to a specific port. So as long as the server will accept the connection on the port you want to use it will work.
Where as the first statement is more for security purposes or needing to re use that public IP for other static translations.
07-06-2009 08:26 AM
Nope, no default redirection. 80 always goes to 80, 443 always goes to 443, if the service is unavailable (blocked by ACL), the service just fails and does not redirect to any other port.
07-06-2009 08:45 AM
fine..so specifying redirection with respect to port only serves me from security viewpoint, but even if i dont specify the port explicity , request should go to the appropriate service.
No hindrance to service.
Thanks.
07-06-2009 08:50 AM
Yeh pretty much but it can still be secure when forwarding all ports as long as your acl is configured correctly.
07-06-2009 09:09 AM
Ok..that helps..
Now what if i use the first statement but i have two services http & https both listening on the internal server.
Would this cause a problem by not explicitly writing them in rules.
Thanks
07-06-2009 09:16 AM
You have to create the rules and the statics. The statics build the road and the ACLs are the cops on the road, determining who is allowed on or not.
07-06-2009 09:18 AM
As long as it's configured correctly it should work with no problems as below just like Colin wrote
static (inside,outside) tcp 75.50.95.73 80 192.168.1.5 80 netmask 255.255.255.255
static (inside,outside) tcp 75.50.95.73 443 192.168.1.5 443 netmask 255.255.255.255
OR you can forward all ports and use the acl to specify which ports the server can be accessed on.
static (inside,outside) 75.50.95.73 192.168.1.5 netmask 255.255.255.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide