- Posts: 80
- Thank you received: 0
static command and 0 0 at the end of the command
17 years 11 months ago #18891
by zillah
static command and 0 0 at the end of the command was created by zillah
Though I googled , I could not find the proper link to find out the information about 0 0 at the end of a static command, may be I have not used the proper word to search.
I got confused with "0 0" at the end of a static command ,
for instance like the one below:
static (dmz,outside) 10.1.1.143 192.168.101.14 netmask 255.255.255.255 0 0
I am aware if these concepts :
1- When NAT exists between two interfaces the command takes the form of "static (high,low) lowip highip" .
2- Without address translation, the format of the static command becomes different: "static (high,low) highip highip".
3- pixfirewall(config)# nat (inside) 4 0 0,,,,,0 0 means 0.0.0.0 0.0.0.0==>(i.e.any),,,,does the same concept apply to a NAT static command ?
1- I got confused that 255.255.255.255 (host) is corresponded to 10.1.1.143,,,Am i right ?, but what about 0 0 ? Is it corresponded to 192.168.101.14 ?
I got confused with "0 0" at the end of a static command ,
for instance like the one below:
static (dmz,outside) 10.1.1.143 192.168.101.14 netmask 255.255.255.255 0 0
I am aware if these concepts :
1- When NAT exists between two interfaces the command takes the form of "static (high,low) lowip highip" .
2- Without address translation, the format of the static command becomes different: "static (high,low) highip highip".
3- pixfirewall(config)# nat (inside) 4 0 0,,,,,0 0 means 0.0.0.0 0.0.0.0==>(i.e.any),,,,does the same concept apply to a NAT static command ?
1- I got confused that 255.255.255.255 (host) is corresponded to 10.1.1.143,,,Am i right ?, but what about 0 0 ? Is it corresponded to 192.168.101.14 ?
17 years 11 months ago #18893
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: static command and 0 0 at the end of the command
Hi there,
The 0, 0 portions of the command means {Max Connections & Emb Limit}
When it is set to 0's it means unlimited. The Max Connections is streight forward enough, the Embryonic Limit means the number of connections that are not completely open. i.e. have not gone through the full 3 way handshake. Its to try and stop a DDoS attack.
emb_lim
(Optional) Specifies the maximum number of embryonic connections per host. The default is 0, which means unlimited embryonic connections.
Limiting the number of embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.
Off Cisco's Website
[code:1]tcp_maxconns - Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet. The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)
This option does not apply to outside NAT. The security appliance only tracks connections from a higher security interface to a lower security interface.
emb_lim - (Optional) Specifies the maximum number of embryonic connections per host. The default is 0, which means unlimited embryonic connections.
Limiting the number of embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.
This option does not apply to outside NAT. The TCP intercept feature applies only to hosts or servers on a higher security level. If you set the embryonic limit for outside NAT, the embryonic limit is ignored.[/code:1]
www.cisco.com/en/US/products/ps6120/prod...3ad68.html#wp1540284
The 0, 0 portions of the command means {Max Connections & Emb Limit}
When it is set to 0's it means unlimited. The Max Connections is streight forward enough, the Embryonic Limit means the number of connections that are not completely open. i.e. have not gone through the full 3 way handshake. Its to try and stop a DDoS attack.
emb_lim
(Optional) Specifies the maximum number of embryonic connections per host. The default is 0, which means unlimited embryonic connections.
Limiting the number of embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.
Off Cisco's Website
[code:1]tcp_maxconns - Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet. The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)
This option does not apply to outside NAT. The security appliance only tracks connections from a higher security interface to a lower security interface.
emb_lim - (Optional) Specifies the maximum number of embryonic connections per host. The default is 0, which means unlimited embryonic connections.
Limiting the number of embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.
This option does not apply to outside NAT. The TCP intercept feature applies only to hosts or servers on a higher security level. If you set the embryonic limit for outside NAT, the embryonic limit is ignored.[/code:1]
www.cisco.com/en/US/products/ps6120/prod...3ad68.html#wp1540284
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 11 months ago #18907
by zillah
Replied by zillah on topic Re: static command and 0 0 at the end of the command
Thanks for this insight.
17 years 11 months ago #18916
by zillah
In the PIX that I have got at work I have got these two lines with its configuration :
static (dmz,inside) 192.168.2.10 192.168.101.210 dns netmask 255.255.255.255 0 0
static (dmz,inside) 192.168.2.11 192.168.101.211 dns netmask 255.255.255.255 0 0
A- The above configurations do not follow that standard format that I have mentioned in the quote ?
B- Is the format in the quote above mandatory ? or it is optional ?
[/b]
Replied by zillah on topic Re: static command and 0 0 at the end of the command
1- When NAT exists between two interfaces the command takes the form of "static (high,low) lowip highip" .
In the PIX that I have got at work I have got these two lines with its configuration :
static (dmz,inside) 192.168.2.10 192.168.101.210 dns netmask 255.255.255.255 0 0
static (dmz,inside) 192.168.2.11 192.168.101.211 dns netmask 255.255.255.255 0 0
A- The above configurations do not follow that standard format that I have mentioned in the quote ?
B- Is the format in the quote above mandatory ? or it is optional ?
[/b]
17 years 11 months ago #18919
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: static command and 0 0 at the end of the command
Hi there,
if you look at the link provided (here www.cisco.com/en/US/products/ps6120/prod...3ad68.html#wp1540284 ) and take a look at the static command it will give you the full syntax along with what are optional.
The DNS keyword is optional and will doctor the dns requests to change the inside ip address to the outside ip address (i think). This means you can have your internal dns space with internal addressing and when it goes outside you network onto the internet it will change the internal address to the corresponding outside address
Cheers
Wayne[/url]
if you look at the link provided (here www.cisco.com/en/US/products/ps6120/prod...3ad68.html#wp1540284 ) and take a look at the static command it will give you the full syntax along with what are optional.
The DNS keyword is optional and will doctor the dns requests to change the inside ip address to the outside ip address (i think). This means you can have your internal dns space with internal addressing and when it goes outside you network onto the internet it will change the internal address to the corresponding outside address
Cheers
Wayne[/url]
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 11 months ago #18962
by zillah
Replied by zillah on topic Re: static command and 0 0 at the end of the command
Hi Smurf
It was my mistake (sorry) , my intention was the "0 0" (not dns) at the end of the commands, because I am aware of why dns was used.f you look at the link provided (here)
Time to create page: 0.131 seconds