Firewall static statements

suthomas1 · ‎07-06-2009

Hi,

Similar to statements put in routers for allowing internet based segment to access services hosted inside the network,firewall uses the static command ( if am correct).

My query is , if the inside server is hosting service on port 344( eg.) then should the static statement include port 344 also . In case if the port is not included will the access go about some default port like http.

Kindly explain.

Thanks.

andrew.prince · ‎07-06-2009

What are yhou refering to NAT or Access-lists?

suthomas1 · ‎07-06-2009

Both NAT & access list, i believe is required for externals to access services hosted inside of firewall.

Collin Clark · ‎07-06-2009

In the first NAT, you translate only a single port-

static (inside,outside) tcp 75.50.95.73 80 192.168.1.5 80 netmask 255.255.255.255

In the second NAT you translate all ports. If you query port 123, it will be translated to port 123.

static (inside,outside) 75.50.95.73 192.168.1.5 netmask 255.255.255.255

Hope that helps.

suthomas1 · ‎07-06-2009

Thanks.

Is it better to specify the statement as first one , since my understanding says during the connection translation to the local server ip inside the network, request would have to be pushed to the desired service port on that ip as well.

This will ensure the services are properly accessed.

If we use the 2nd statement, wouldnt it cause problems, in the sense that it may sometimes default to port 80 or something default.

Please correct if this is wrong.

Thanks.

kwillacey · ‎07-06-2009

No it just means that you will be able to access your internal server on any port, it will not default to a specific port. So as long as the server will accept the connection on the port you want to use it will work.

Where as the first statement is more for security purposes or needing to re use that public IP for other static translations.

Collin Clark · ‎07-06-2009

Nope, no default redirection. 80 always goes to 80, 443 always goes to 443, if the service is unavailable (blocked by ACL), the service just fails and does not redirect to any other port.

suthomas1 · ‎07-06-2009

fine..so specifying redirection with respect to port only serves me from security viewpoint, but even if i dont specify the port explicity , request should go to the appropriate service.

No hindrance to service.

Thanks.

kwillacey · ‎07-06-2009

Yeh pretty much but it can still be secure when forwarding all ports as long as your acl is configured correctly.

suthomas1 · ‎07-06-2009

Ok..that helps..

Now what if i use the first statement but i have two services http & https both listening on the internal server.

Would this cause a problem by not explicitly writing them in rules.

Thanks

Collin Clark · ‎07-06-2009

You have to create the rules and the statics. The statics build the road and the ACLs are the cops on the road, determining who is allowed on or not.

kwillacey · ‎07-06-2009

As long as it's configured correctly it should work with no problems as below just like Colin wrote

static (inside,outside) tcp 75.50.95.73 80 192.168.1.5 80 netmask 255.255.255.255

static (inside,outside) tcp 75.50.95.73 443 192.168.1.5 443 netmask 255.255.255.255

OR you can forward all ports and use the acl to specify which ports the server can be accessed on.

static (inside,outside) 75.50.95.73 192.168.1.5 netmask 255.255.255.255