10-01-2004 06:33 AM - edited 03-09-2019 08:57 AM
Ciscso Forum Question:
After reviewing SNORT alerts on a Win2KServer, I found TCP traffic from a faddr.
Log Message %PIX-6-302001: Built inbound TCP connection number for faddr x.x.x.x3537 gaddr IP_addr/port laddr x.x.x.x/80
Log Message %PIX-6-302002: Teardown TCP connection for faddr x.x.x.x/3537 gaddr IP_addr/port laddr x.x.x.x/80 duration time bytes num (text)
The same faddr was denied to all other laddr, except for this particular one. Why is this getting through?
Solved! Go to Solution.
10-01-2004 06:24 PM
Well the firewall by itself prevents traffic originated from foreign addresses from getting into the network whether you have NAT configured or not. One uses NAT usually to hide inside addresses and also to support a multitude of users against a handful of public IP addresses.
Sometimes there is a requirement to let traffic bypass the normal rules of the firewall to allow outside users to access protected resources, for example a webserver in the DMZ. The usual design is to put such resources that require outside access on an interface different from internal users and servers. This third interface is usually referred to as the DMZ. You can have multiple DMZs depending on your requirement.
When you configure a static and then a corresponding conduit letting traffic in for that machine you are basically telling the firewall to allow connections initiated from the outside to that machine and matching the conduit. When that happens the PIX will report it in the logs and that is exactly what you are seeing. For machines that either do not have a static or even if they do have a static but no conduit is permitting anything for them, connections to such machines will be denied.
Hope that makes things clear.
10-01-2004 08:58 AM
You probably have a static configured binding the laddr x.x.x.x to the gaddr IP_addr. There must be an access-list permitting access to port 80 on the gaddr IP_addr.
10-01-2004 12:26 PM
Yes I have a static configured binding the laddr to the gaddr IP_addr. The conduit permits the gaddr IP_addr eq www any.
But isn't NAT supposed to prevent traffic from foreign addresses from getting into the network? Reviewing the logs, inbound attempts are mostly denied.
10-01-2004 06:24 PM
Well the firewall by itself prevents traffic originated from foreign addresses from getting into the network whether you have NAT configured or not. One uses NAT usually to hide inside addresses and also to support a multitude of users against a handful of public IP addresses.
Sometimes there is a requirement to let traffic bypass the normal rules of the firewall to allow outside users to access protected resources, for example a webserver in the DMZ. The usual design is to put such resources that require outside access on an interface different from internal users and servers. This third interface is usually referred to as the DMZ. You can have multiple DMZs depending on your requirement.
When you configure a static and then a corresponding conduit letting traffic in for that machine you are basically telling the firewall to allow connections initiated from the outside to that machine and matching the conduit. When that happens the PIX will report it in the logs and that is exactly what you are seeing. For machines that either do not have a static or even if they do have a static but no conduit is permitting anything for them, connections to such machines will be denied.
Hope that makes things clear.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide