Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
294
Views
0
Helpful
2
Replies

Question about static statement

f-watts
Level 1
Level 1

‎01-14-2003 11:09 PM - edited ‎03-09-2019 01:41 AM

I have a PIX 506E. The configuration is basic and mostly like it came out of the box.

The other day I wanted to add a static mapping to allow inbound access to a web server (port 80). I added a static statement, an access-list statement, and an access group statement. When I did that the inside computers could no longer access the internet. I removed all three statments and did a clear xlate so I could find out which statement caused the problem. I re-entered the static statement and it turns out that it was the static statment causing the problem.

I was using one external IP address for PAT and another to do the static mapping with. The static statement looked like:

static (inside,outside) 10.0.0.15 192.168.0.55 netmask 255.255.255.255.

I found this statement on one of the cisco support pages:

"If you specify an access-list command statement and bind it to an interface with the access-group command statement, by default, all traffic inbound to that interface is denied. You must explicitly permit traffic. Note that "inbound" in this context means traffic passing through the interface, rather than the more typical PIX Firewall usage of inbound meaning traffic passing from a lower security level interface to a higher security level interface."

In another document I found the following statement:

"By default, there are no access restrictions on outbound connections through the PIX. This means that if there is no ACL configured for the source interface, then, by default, the outbound connection will be allowed if there is a translation method configured. "

I am curious if both of these are telling me that I need to add two statements like:

access-list acl_outbound permit ip any any AND

access-group acl_outbound in interface inside.

I don't see why I would need to do this since the static statement alone killed the outbound connection. Or is it something else

Also (and unrelated to the above) what about the statement:

"IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX. [snip]. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests fail consistently."

Can someone explain that to me.

thanks

Labels:
0 Helpful
2 Replies 2

rrbleeker
Level 1
Level 1

‎01-15-2003 09:20 AM

Frank,

Assuming that 10.0.0.15 is the IP address provided to you by your service provider, your 'static' statement is corrent. I don't mind helping you by checking your configuration. You can send it to me to my email address (rob.bleeker@nexinnovations.com). Just replace your real addresses with bogus addresses and remove username/password information.

0 Helpful

f-watts
Level 1
Level 1
In response to rrbleeker

‎01-15-2003 08:30 PM

The external addresses come from a router outside the pix that I am using to create a DMZ since the 506E only has two interfaces.

The configuration follows:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXX encrypted

hostname XXXXXXXX

domain-name XXXXXXX

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.0.10 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit deny icmp any any

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

0 Helpful
Customers Also Viewed These Support Documents