cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1289
Views
0
Helpful
3
Replies

Inbound faddr TCP traffic

acira
Level 1
Level 1

Ciscso Forum Question:

After reviewing SNORT alerts on a Win2KServer, I found TCP traffic from a faddr.

Log Message %PIX-6-302001: Built inbound TCP connection number for faddr x.x.x.x3537 gaddr IP_addr/port laddr x.x.x.x/80

Log Message %PIX-6-302002: Teardown TCP connection for faddr x.x.x.x/3537 gaddr IP_addr/port laddr x.x.x.x/80 duration time bytes num (text)

The same faddr was denied to all other laddr, except for this particular one. Why is this getting through?

1 Accepted Solution

Accepted Solutions

Well the firewall by itself prevents traffic originated from foreign addresses from getting into the network whether you have NAT configured or not. One uses NAT usually to hide inside addresses and also to support a multitude of users against a handful of public IP addresses.

Sometimes there is a requirement to let traffic bypass the normal rules of the firewall to allow outside users to access protected resources, for example a webserver in the DMZ. The usual design is to put such resources that require outside access on an interface different from internal users and servers. This third interface is usually referred to as the DMZ. You can have multiple DMZs depending on your requirement.

When you configure a static and then a corresponding conduit letting traffic in for that machine you are basically telling the firewall to allow connections initiated from the outside to that machine and matching the conduit. When that happens the PIX will report it in the logs and that is exactly what you are seeing. For machines that either do not have a static or even if they do have a static but no conduit is permitting anything for them, connections to such machines will be denied.

Hope that makes things clear.

View solution in original post

3 Replies 3

a.awan
Level 4
Level 4

You probably have a static configured binding the laddr x.x.x.x to the gaddr IP_addr. There must be an access-list permitting access to port 80 on the gaddr IP_addr.

Yes I have a static configured binding the laddr to the gaddr IP_addr. The conduit permits the gaddr IP_addr eq www any.

But isn't NAT supposed to prevent traffic from foreign addresses from getting into the network? Reviewing the logs, inbound attempts are mostly denied.

Well the firewall by itself prevents traffic originated from foreign addresses from getting into the network whether you have NAT configured or not. One uses NAT usually to hide inside addresses and also to support a multitude of users against a handful of public IP addresses.

Sometimes there is a requirement to let traffic bypass the normal rules of the firewall to allow outside users to access protected resources, for example a webserver in the DMZ. The usual design is to put such resources that require outside access on an interface different from internal users and servers. This third interface is usually referred to as the DMZ. You can have multiple DMZs depending on your requirement.

When you configure a static and then a corresponding conduit letting traffic in for that machine you are basically telling the firewall to allow connections initiated from the outside to that machine and matching the conduit. When that happens the PIX will report it in the logs and that is exactly what you are seeing. For machines that either do not have a static or even if they do have a static but no conduit is permitting anything for them, connections to such machines will be denied.

Hope that makes things clear.