?
Solved

PIX\SQL DMZ Issue

Posted on 2007-07-19
11
Medium Priority
?
304 Views
Last Modified: 2010-04-09
I am having some problems connecting a dmz web server to a back end sql server. Microsoft says this:

The firewall software should allow this dynamic allocation to occur through the use of rules. If it does, you can configure 1433 -> *ANY* established; this will dynamically open the response port after a syn followed by a syn/ack by way of a statefull packet inspection.

this is my access-list:
access-list DMZ_In line 2 permit udp host webserver host sqlserver eq 1443
access-list DMZ_In line 3 permit tcp host webserver host sqlserver eq 1443

are they saying that I have to allow 'any' for port 1443 instead of just 'webserver' ?

Is it possible to add 'established' to the end of it to make it work? when I say ip any any on line 1 it works fine..but when i take that away, no communication occurs..
0
Comment
Question by:jaysonfranklin
11 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 19527400
Do you have a static xlate?
 static (inside,dmz) sqlserver sqlserver netmask 255.255.255.255 0 0
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 19527453
Yes sir i do. identical to what you have.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 19527462
This is what Microsoft says:

The best way to observe this behavior is to trace a client-to-server communication by using Microsoft Network Monitor or a network sniffer tool. To configure the firewall, you must allow traffic from *ANY* to 1433, and from 1433 to *ANY*, where *ANY* is a port greater than 1024.
*ANY* -> 1433
1433 -> *ANY*
In addition to using Microsoft Network Monitor, you can also use the TCP/IP Netstat utility to illustrate this. Issuing netstat -an from an MS-DOS command window produces the following results showing three established connections to SQL Server. This example uses 157.54.178.42 as the IP address of SQL Server and 157.54.178.31 as the client IP address. The ports opened by the client are 1746, 1748, and 1750 respectively.

Proto   Local Address          Foreign Address        State
 TCP    157.54.178.42:1433     0.0.0.0:0              LISTENING
 TCP    157.54.178.42:1433     157.54.178.31:1746     ESTABLISHED
 TCP    157.54.178.42:1433     157.54.178.31:1748     ESTABLISHED
 TCP    157.54.178.42:1433     157.54.178.31:1750     ESTABLISHED
                              

The firewall software should allow this dynamic allocation to occur through the use of rules. If it does, you can configure 1433 -> *ANY* established; this will dynamically open the response port after a syn followed by a syn/ack by way of a statefull packet inspection.

There is no way to limit the number of source TCP ports used for a SQL Server client to connect; this would defeat the purpose of having the client allocate a new, unused dynamic port. This is a TCP/IP standard that is defined for Winsock applications; this is not a limitation of SQL Server client communication.


So I changed my access-list to say:
access-list DMZ_In line 3 permit tcp any host sqlserver eq 1443 but i dont really like that...is this the only way? what i dont understand is its still coming from the same ip just a different port....
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 1000 total points
ID: 19528022
ok, i'm sorry, but this doesn't make sense.  maybe this is for some firewall out there and this is just for MS to cover themselves.

However, if you have the static or global/nat for the translation and an acl for to the SQL server to port 1433/tcp, that should be good enough.

This is because after the client which is allowed by acl to send the SYN packet, the pix will create an entry in the conn table, thus allowing the return syn/ack packet.  Most firewalls work like this so that's why I assume their statement is just to cover the odd case where the firewall doesn't work that way.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 19529576
agreed ^^

just out of curiosity what's

access-list DMZ_In line 1  ??
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 19533550
line 1 at that time was permit ip host webserver any
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 19533589
btw, that was just so i could have it working...i thought i only needed the other static,

static (dmz,inside) webserver webserver netmask 255.255.255.255 0 0

If i needed to connect the webserver to the internet or the inside for some reason...
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 19568162
ok...figured it out...don't know why this would make a difference cuz i thought there was an immplicit deny any at the end of acls....but at the end of the acl i had a deny ip any to the subnet of my internal network...when i removed that it works...
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 19568243
>>immplicit deny any at the end of acls
there is

however without seeing the acls in their entirety its hard to tell for sure what was done and why it worked
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 19569501
here is the acl:

access-list DMZ_In line 1 permit tcp host websvr host sqlsvr eq 1443 log 6 interval 300 (hitcnt=0)
access-list DMZ_In line 2 deny ip any 10.0.0.0 255.0.0.0 log 6 interval 300 (hitcnt=0)
access-list DMZ_In line 3 deny ip any 172.16.0.0 255.255.255.0 log 6 interval 300 (hitcnt=0)
access-list DMZ_In line 4 deny ip any 172.16.0.0 255.255.240.0 log 6 interval 300 (hitcnt=0)
access-list DMZ_In line 5 deny ip any 192.168.0.0 255.255.0.0 log 6 interval 300

it used to have a line 6 of deny ip any 192.168.1.0 255.255.255.0...when i took this off it started working...does that make sense?
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 19614296
nevermind, the turns out it didnt make a difference, the sql port was wrong...
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question