Solved

Can I direct traffic from server in DMZ to Inside interface?

Posted on 2007-11-14
7
267 Views
Last Modified: 2011-09-20
I have a Cisco ASA 5505 and am setting Inside, Outside and DMZ interfaces. One of the webservers in my DMZ zone is going to be making requests to a SQL server on my inside zone. Is that possible and if so, how do I set up the ASA 5505 to do this?

I have toyed around with setting this up and either can't find documentation on it or attempts to try it have ended up in failure.

Help!
0
Comment
Question by:lockrows_ainsley
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20284971
  Hi lockrows_ainsley
        I recommend an exempt NAT for your SQL server. Translations may affect the SQL traffic.
        nat (DMZ) 0 webserverip 255.255.255.255
or
       access-list DMZ_CNat permit ip host webserver host sqlserver
       nat (DMZ) 0 access-list DMZ_CNat

Regards

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 20285905
Do you have a base license or security plus license?  With the base license, the ASA operates in a restricted DMZ mode where traffic from that interface can only be initiated to one of the other interfaces, not both...just something to think about.
0
 
LVL 5

Expert Comment

by:renill
ID: 20287721
This is the translation rule for dmz to come inside
static (dmz,inside)  insideipadd webserverip netmask <mask>

this access -list is to permit the traffic from inside to dmz
access-list dmz2inside extended permit ip insideip mask host webserver eq www
tune this access-list depending on the requirement.

access-group <groupname> in interface <interface>

renil
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 28

Expert Comment

by:batry_boy
ID: 20288425
Given that you have the proper licensing such that traffic flow initiated from dmz to inside isn't blocked in the first place, here are the only statements you need...

static (inside,dmz) sqlserver_ip sqlserver_ip netmask 255.255.255.255
access-list dmz_access_in permit tcp host webserver_ip host sqlserver_ip eq 1433
access-group dmz_access_in in interface dmz

Now, I'll explain each statement above.

The first one creates a static translation for the inside IP address of the SQL server such that it looks like the same IP address when communicating with the dmz network segment.

The second one adds an access rule that allows SQL traffic (typically TCP 1433) inbound from the web server's IP address in the dmz inbound to the SQL server's IP address on the inside network segment.  If you need to allow other ports besides this you can add more ACL statements, but 1433 is the typical SQL communications port.

The last statement applies that ACL inbound to the dmz interface.

If you want to allow all of IP from the web server to the SQL server, just change the above ACL statement that references TCP 1433 to this one:

access-list dmz_access_in permit ip host webserver_ip host sqlserver_ip

renil's ACL statement above is not accurate since it specifies "ip" (which implies all TCP and UDP ports) but also specifies a port (www)...I believe that was meant to read "tcp" instead of "ip".

My statements above also assume that you want to access the SQL server from the web server by the SQL server's real IP address on the inside.  If this is not the case, then just replace the first reference to "sqlserver_ip" in the static command above to be the IP address you want to use.  However, I recommend you perform the translation to the same IP address of the SQL server itself.
0
 

Author Comment

by:lockrows_ainsley
ID: 20295121
It looks like I might need to get the security plus bundle; let me cross that bridge and then I'll be able to use the above commands. I'll get back to you once I get that done. Thanks!
0
 
LVL 5

Expert Comment

by:renill
ID: 20296556
"access-list dmz2inside extended permit ip insideip mask host webserver eq www "
there is small typo.
access-list dmz2inside permit ip host insideip host webserver  
sorry for that ;)

renill

0
 

Author Closing Comment

by:lockrows_ainsley
ID: 31409235
I guess it didn't work simply because I don't have the proper licensing installed; thanks for the info!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now