Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Firewall static statements

Hi,

Similar to statements put in routers for allowing internet based segment to access services hosted inside the network,firewall uses the static command ( if am correct).

My query is , if the inside server is hosting service on port 344( eg.) then should the static statement include port 344 also . In case if the port is not included will the access go about some default port like http.

Kindly explain.

Thanks.

11 REPLIES

Re: Firewall static statements

What are yhou refering to NAT or Access-lists?

New Member

Re: Firewall static statements

Both NAT & access list, i believe is required for externals to access services hosted inside of firewall.

Re: Firewall static statements

In the first NAT, you translate only a single port-

static (inside,outside) tcp 75.50.95.73 80 192.168.1.5 80 netmask 255.255.255.255

In the second NAT you translate all ports. If you query port 123, it will be translated to port 123.

static (inside,outside) 75.50.95.73 192.168.1.5 netmask 255.255.255.255

Hope that helps.

New Member

Re: Firewall static statements

Thanks.

Is it better to specify the statement as first one , since my understanding says during the connection translation to the local server ip inside the network, request would have to be pushed to the desired service port on that ip as well.

This will ensure the services are properly accessed.

If we use the 2nd statement, wouldnt it cause problems, in the sense that it may sometimes default to port 80 or something default.

Please correct if this is wrong.

Thanks.

New Member

Re: Firewall static statements

No it just means that you will be able to access your internal server on any port, it will not default to a specific port. So as long as the server will accept the connection on the port you want to use it will work.

Where as the first statement is more for security purposes or needing to re use that public IP for other static translations.

Re: Firewall static statements

Nope, no default redirection. 80 always goes to 80, 443 always goes to 443, if the service is unavailable (blocked by ACL), the service just fails and does not redirect to any other port.

New Member

Re: Firewall static statements

fine..so specifying redirection with respect to port only serves me from security viewpoint, but even if i dont specify the port explicity , request should go to the appropriate service.

No hindrance to service.

Thanks.

New Member

Re: Firewall static statements

Yeh pretty much but it can still be secure when forwarding all ports as long as your acl is configured correctly.

New Member

Re: Firewall static statements

Ok..that helps..

Now what if i use the first statement but i have two services http & https both listening on the internal server.

Would this cause a problem by not explicitly writing them in rules.

Thanks

Re: Firewall static statements

You have to create the rules and the statics. The statics build the road and the ACLs are the cops on the road, determining who is allowed on or not.

New Member

Re: Firewall static statements

As long as it's configured correctly it should work with no problems as below just like Colin wrote

static (inside,outside) tcp 75.50.95.73 80 192.168.1.5 80 netmask 255.255.255.255

static (inside,outside) tcp 75.50.95.73 443 192.168.1.5 443 netmask 255.255.255.255

OR you can forward all ports and use the acl to specify which ports the server can be accessed on.

static (inside,outside) 75.50.95.73 192.168.1.5 netmask 255.255.255.255

120
Views
6
Helpful
11
Replies