Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: static command and 0 0 at the end of the command

static command and 0 0 at the end of the command 9 years 11 months ago #18891

  • zillah
  • zillah's Avatar
  • Offline
  • Frequent Member
  • Posts: 79
  • Karma: 0
Though I googled , I could not find the proper link to find out the information about 0 0 at the end of a static command, may be I have not used the proper word to search.

I got confused with "0 0" at the end of a static command ,
for instance like the one below:

static (dmz,outside) 10.1.1.143 192.168.101.14 netmask 255.255.255.255 0 0

I am aware if these concepts :

1- When NAT exists between two interfaces the command takes the form of "static (high,low) lowip highip" .

2- Without address translation, the format of the static command becomes different: "static (high,low) highip highip".

3- pixfirewall(config)# nat (inside) 4 0 0,,,,,0 0 means 0.0.0.0 0.0.0.0==>(i.e.any),,,,does the same concept apply to a NAT static command ?


1- I got confused that 255.255.255.255 (host) is corresponded to 10.1.1.143,,,Am i right ?, but what about 0 0 ? Is it corresponded to 192.168.101.14 ?
The administrator has disabled public write access.

Re: static command and 0 0 at the end of the command 9 years 11 months ago #18893

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Hi there,

The 0, 0 portions of the command means {Max Connections & Emb Limit}

When it is set to 0's it means unlimited. The Max Connections is streight forward enough, the Embryonic Limit means the number of connections that are not completely open. i.e. have not gone through the full 3 way handshake. Its to try and stop a DDoS attack.

emb_lim
(Optional) Specifies the maximum number of embryonic connections per host. The default is 0, which means unlimited embryonic connections.

Limiting the number of embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.

Off Cisco's Website

[code:1]tcp_maxconns - Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet. The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)
This option does not apply to outside NAT. The security appliance only tracks connections from a higher security interface to a lower security interface.

emb_lim - (Optional) Specifies the maximum number of embryonic connections per host. The default is 0, which means unlimited embryonic connections.
Limiting the number of embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.
This option does not apply to outside NAT. The TCP intercept feature applies only to hosts or servers on a higher security level. If you set the embryonic limit for outside NAT, the embryonic limit is ignored.[/code:1]

http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a008073ad68.html#wp1540284
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: static command and 0 0 at the end of the command 9 years 11 months ago #18907

  • zillah
  • zillah's Avatar
  • Offline
  • Frequent Member
  • Posts: 79
  • Karma: 0
Thanks for this insight.
The administrator has disabled public write access.

Re: static command and 0 0 at the end of the command 9 years 11 months ago #18916

  • zillah
  • zillah's Avatar
  • Offline
  • Frequent Member
  • Posts: 79
  • Karma: 0
1- When NAT exists between two interfaces the command takes the form of "static (high,low) lowip highip" .

In the PIX that I have got at work I have got these two lines with its configuration :

static (dmz,inside) 192.168.2.10 192.168.101.210 dns netmask 255.255.255.255 0 0
static (dmz,inside) 192.168.2.11 192.168.101.211 dns netmask 255.255.255.255 0 0

A- The above configurations do not follow that standard format that I have mentioned in the quote ?

B- Is the format in the quote above mandatory ? or it is optional ?
[/b]
The administrator has disabled public write access.

Re: static command and 0 0 at the end of the command 9 years 11 months ago #18919

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Hi there,

if you look at the link provided (here http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a008073ad68.html#wp1540284) and take a look at the static command it will give you the full syntax along with what are optional.

The DNS keyword is optional and will doctor the dns requests to change the inside ip address to the outside ip address (i think). This means you can have your internal dns space with internal addressing and when it goes outside you network onto the internet it will change the internal address to the corresponding outside address

Cheers

Wayne[/url]
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: static command and 0 0 at the end of the command 9 years 11 months ago #18962

  • zillah
  • zillah's Avatar
  • Offline
  • Frequent Member
  • Posts: 79
  • Karma: 0
Hi Smurf
f you look at the link provided (here)
It was my mistake (sorry) , my intention was the "0 0" (not dns) at the end of the commands, because I am aware of why dns was used.
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.083 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup