• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 657
  • Last Modified:

PIX 515E opening up mssql traffic to DMZ

I need to allow SQL traffic from my DMZ to our internal network.  What are the pix commands to do so?
0
billfry
Asked:
billfry
  • 13
  • 7
1 Solution
 
ruddgCommented:
If you need LAN hosts to access SQL on a DMZ server, you simply need a NAT exemption for LAN to DMZ communications.

nat (dmz) 0 access-list dmz_nat0
access-list dmz_nat0 permit ip <DMZ Subnet> 255.255.255.0 <LAN Subnet> 255.255.255.0

The default security settings will allow LAN hosts to access DMZ servers.

If you need a DMZ host to access a LAN SQL server, then you need the above plus an access list that allows SQL traffic from the DMZ to the LAN.

access-list dmz_inbound_nat0_acl permit tcp host <DMZ Host> host <LAN Host> eq sqlnet

Resource:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278e.html#wp1001958
0
 
ruddgCommented:
Oop... to activate the access-list dmz_inbound_nat0_acl in second example:

access-group dmz_inbound_nat0_acl in interface dmz

Note: you may have a different name for your "DMZ" interface, and you may also be using different masks than in the first example.
0
 
billfryAuthor Commented:
Thank you for your help Ruddg,

when I do access-group dmz_inbound_nat0_acl in interface dmz
it turns off outbound traffic from the dmz.....

I tried the steps above but it still will not let traffic flow from the dmz into the internal MS Sql server....
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
ruddgCommented:
So, you are needing to access an internal SQL server from the DMZ, right?

If possible, please post your current PIX config (feel free to sanitize public IPs, etc).  I apologize, but I did oversimplify the needs a little.  Assumed that some of this was already in place... your access list "dmz_inbound_nat0_acl" will also need provisions for allowing traffic out to the Internet, such as:

object-group service dmz-internet-out-tcp tcp
  description Traffic allowed from DMZ to internet
  port-object eq ftp
  port-object eq ftp-data
  port-object eq https
  port-object eq www
object-group service dmz-internet-out-udp udp
  port-object eq ntp
  port-object eq domain
access-list dmz_inbound_nat0_acl permit tcp <DMZ Subnet> 255.255.255.0 any object-group dmz-internet-out-tcp
access-list dmz_inbound_nat0_acl permit udp <DMZ Subnet> 255.255.255.0 any object-group dmz-internet-out-udp

Plus you should have standard NAT applied to the Internet bound traffic:

nat (dmz) 1 <DMZ Subnet> 255.255.255.0 dns 250 150

0
 
billfryAuthor Commented:
Rud,
Below is my config,


show config

: Saved

: Written by enable_15 at 19:55:58.005 PDT Mon Apr 25 2005

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password

passwd /

hostname

domain-name

clock timezone PST -8

clock summer-time PDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

<--- More --->
             
fixup protocol skinny 2000

<--- More --->
             
no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name  TSPDX

name  TSPTLAND

name TSSQL

object-group service MSSQL tcp

  port-object range 1433 1433

access-list inside_outbound_nat0_acl permit ip any 10.101.11.0 255.255.255.128

access-list inside_outbound_nat0_acl permit ip 10.101.1.0 255.255.255.0 TSPDX 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 10.101.1.0 255.255.255.0 10.101.1.0 255.255.255.128





access-list outside_access_in permit tcp any host 209.209.209.236 eq 8080

access-list outside_access_in permit tcp any host 209.209.209.236 eq www

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit ip 209.209.209.0 255.255.255.0 any

access-list outside_access_in permit icmp 209.209.209.0 255.255.255.0 any

access-list outside_access_in permit icmp any any unreachable

access-list acl_out permit ip TSPDX 255.255.255.0 10.101.1.0 255.255.255.0

access-list acl_out permit tcp any host 209.209.209.236 eq 8080

access-list acl_out permit tcp any host 209.209.209.236 eq www

access-list acl_out permit icmp host 209.209.209.237 any

access-list acl_out permit icmp any any

access-list acl_out permit icmp any any echo-reply

access-list acl_out permit icmp any any unreachable

icmp permit any echo outside

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 209.209.209.236 255.255.255.248

ip address inside 10.101.1.254 255.255.255.0

ip address dmz 10.101.10.254 255.255.255.0
             
ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 10.101.1.50-10.101.1.98 mask 255.255.255.0


pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

static (inside,dmz) 10.101.1.0 10.101.1.0 netmask 255.255.255.0 25 5

static (dmz,outside) 209.209.209.236 10.101.10.1 netmask 255.255.255.255 500 25

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 209.209.209.233 1
0
 
billfryAuthor Commented:
If i am reading you correctly,  then the first suggestions you had should have granted me access into the sql server,  but not out....

0
 
ruddgCommented:
Remove:

access-list outside_access_in
static (inside,dmz) 10.101.1.0 10.101.1.0 netmask 255.255.255.0 25 5
access-list inside_outbound_nat0_acl permit ip 10.101.1.0 255.255.255.0 10.101.1.0 255.255.255.128

Add:

access-list inside_outbound_nat0_acl permit ip 10.101.1.0 255.255.255.0 10.101.10.0 255.255.255.0
access-list dmz_nat0 permit ip 10.101.10.0 255.255.255.0 10.101.1.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0
object-group service dmz-internet-out-tcp tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq https
  port-object eq www
object-group service dmz-internet-out-udp udp
  port-object eq ntp
  port-object eq domain
access-list dmz_inbound_nat0_acl permit tcp host <DMZ Host> host <LAN Host> eq sqlnet
<add any other DMZ-->LAN permissions here>
access-list dmz_inbound_nat0_acl deny ip 10.101.10.0 255.255.255.0 10.101.1.0 255.255.255.0
access-list dmz_inbound_nat0_acl permit tcp 10.101.10.0 255.255.255.0 any object-group dmz-internet-out-tcp
access-list dmz_inbound_nat0_acl permit udp 10.101.10.0 255.255.255.0 any object-group dmz-internet-out-udp
nat (dmz) 1 10.101.10.0 255.255.255.0 dns 250 150
access-group dmz_inbound_nat0_acl in interface dmz
0
 
billfryAuthor Commented:
I did the changes you asked,  You taught me something tonight :)    thank you,  


The SQL server is still unable to be accessed from the dmz however... :(



0
 
billfryAuthor Commented:
Figured it out,  we are using a different port to talk to the SQL LOL  it work great!  Thank you very much for your help :)

Points awarded!
0
 
ruddgCommented:
Er... sorry... major oversight on my part:

MSSQL access uses port 1433 (sqlnet is for Oracle)

Add this:

access-list dmz_inbound_nat0_acl permit tcp host <DMZ Host> host <LAN Host> eq 1433

(this needs to appear before the 'deny' statement for DMZ-->LAN access)
0
 
billfryAuthor Commented:
for some reason now i can access anything on the internal sql server.....
0
 
ruddgCommented:
Does the access list look like this?

access-list dmz_inbound_nat0_acl permit tcp host <DMZ Host> host <LAN Host> eq 1433
access-list dmz_inbound_nat0_acl deny ip 10.101.10.0 255.255.255.0 10.101.1.0 255.255.255.0
access-list dmz_inbound_nat0_acl permit tcp 10.101.10.0 255.255.255.0 any object-group dmz-internet-out-tcp
access-list dmz_inbound_nat0_acl permit udp 10.101.10.0 255.255.255.0 any object-group dmz-internet-out-udp

The order of the rules is very important...
0
 
billfryAuthor Commented:
put that line at the end and its blocking access again :)
0
 
billfryAuthor Commented:
Reordered that and its blocking web requests now lol
0
 
billfryAuthor Commented:
When i reorder it that way,  sql connections are down
0
 
billfryAuthor Commented:
forgot to add access-group dmz_inbound_nat0_acl in interface dmz  after reordering.  It removed it when i removed all the access groups
0
 
billfryAuthor Commented:
works like a charm now!
0
 
billfryAuthor Commented:
well shoot,  vpn services are down now :(
0
 
ruddgCommented:
billfry, you did not post the relevant part of your config for VPN access... I mistook the ACL entry I had you remove for an attempt to allow traffc from LAN to DMZ.  Based on your vpnpool, it looks like you were trying to use the same subnet (subnetted) for VPN clients that you have applied to your LAN.  This is incorrect.  You need to change the vpnpool to another range and create a nat0 access list entry for the pool.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

Post the complete config as it currently stands and we can work out the changes for the VPN to work again.
0
 
billfryAuthor Commented:
I fixed the VPN last night through the PDM.   Thanks again for your help Ruddg.  You rock.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 13
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now