topic Re: Firewall static statements in Network Security

Firewall static statements

suthomas1 — Mon, 11 Mar 2019 15:51:24 GMT

Hi,

Similar to statements put in routers for allowing internet based segment to access services hosted inside the network,firewall uses the static command ( if am correct).

My query is , if the inside server is hosting service on port 344( eg.) then should the static statement include port 344 also . In case if the port is not included will the access go about some default port like http.

Kindly explain.

Thanks.

Re: Firewall static statements

andrew.prince — Mon, 06 Jul 2009 12:10:04 GMT

What are yhou refering to NAT or Access-lists?

Re: Firewall static statements

suthomas1 — Mon, 06 Jul 2009 12:46:29 GMT

Both NAT & access list, i believe is required for externals to access services hosted inside of firewall.

Re: Firewall static statements

Collin Clark — Mon, 06 Jul 2009 12:54:21 GMT

In the first NAT, you translate only a single port-

static (inside,outside) tcp 75.50.95.73 80 192.168.1.5 80 netmask 255.255.255.255

In the second NAT you translate all ports. If you query port 123, it will be translated to port 123.

static (inside,outside) 75.50.95.73 192.168.1.5 netmask 255.255.255.255

Hope that helps.

Re: Firewall static statements

suthomas1 — Mon, 06 Jul 2009 15:20:48 GMT

Thanks.

Is it better to specify the statement as first one , since my understanding says during the connection translation to the local server ip inside the network, request would have to be pushed to the desired service port on that ip as well.

This will ensure the services are properly accessed.

If we use the 2nd statement, wouldnt it cause problems, in the sense that it may sometimes default to port 80 or something default.

Please correct if this is wrong.

Thanks.

Re: Firewall static statements

kwillacey — Mon, 06 Jul 2009 15:26:11 GMT

No it just means that you will be able to access your internal server on any port, it will not default to a specific port. So as long as the server will accept the connection on the port you want to use it will work.

Where as the first statement is more for security purposes or needing to re use that public IP for other static translations.

Re: Firewall static statements

Collin Clark — Mon, 06 Jul 2009 15:26:29 GMT

Nope, no default redirection. 80 always goes to 80, 443 always goes to 443, if the service is unavailable (blocked by ACL), the service just fails and does not redirect to any other port.

Re: Firewall static statements

suthomas1 — Mon, 06 Jul 2009 15:45:02 GMT

fine..so specifying redirection with respect to port only serves me from security viewpoint, but even if i dont specify the port explicity , request should go to the appropriate service.

No hindrance to service.

Thanks.

Re: Firewall static statements

kwillacey — Mon, 06 Jul 2009 15:50:50 GMT

Yeh pretty much but it can still be secure when forwarding all ports as long as your acl is configured correctly.

Re: Firewall static statements

suthomas1 — Mon, 06 Jul 2009 16:09:54 GMT

Ok..that helps..

Now what if i use the first statement but i have two services http & https both listening on the internal server.

Would this cause a problem by not explicitly writing them in rules.

Thanks

Re: Firewall static statements

Collin Clark — Mon, 06 Jul 2009 16:16:15 GMT

You have to create the rules and the statics. The statics build the road and the ACLs are the cops on the road, determining who is allowed on or not.

Re: Firewall static statements

kwillacey — Mon, 06 Jul 2009 16:18:09 GMT

As long as it's configured correctly it should work with no problems as below just like Colin wrote

static (inside,outside) tcp 75.50.95.73 80 192.168.1.5 80 netmask 255.255.255.255

static (inside,outside) tcp 75.50.95.73 443 192.168.1.5 443 netmask 255.255.255.255

OR you can forward all ports and use the acl to specify which ports the server can be accessed on.

static (inside,outside) 75.50.95.73 192.168.1.5 netmask 255.255.255.255