Solved

Can I direct traffic from server in DMZ to Inside interface?

Posted on 2007-11-14
7
268 Views
Last Modified: 2011-09-20
I have a Cisco ASA 5505 and am setting Inside, Outside and DMZ interfaces. One of the webservers in my DMZ zone is going to be making requests to a SQL server on my inside zone. Is that possible and if so, how do I set up the ASA 5505 to do this?

I have toyed around with setting this up and either can't find documentation on it or attempts to try it have ended up in failure.

Help!
0
Comment
Question by:lockrows_ainsley
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20284971
  Hi lockrows_ainsley
        I recommend an exempt NAT for your SQL server. Translations may affect the SQL traffic.
        nat (DMZ) 0 webserverip 255.255.255.255
or
       access-list DMZ_CNat permit ip host webserver host sqlserver
       nat (DMZ) 0 access-list DMZ_CNat

Regards

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 20285905
Do you have a base license or security plus license?  With the base license, the ASA operates in a restricted DMZ mode where traffic from that interface can only be initiated to one of the other interfaces, not both...just something to think about.
0
 
LVL 5

Expert Comment

by:renill
ID: 20287721
This is the translation rule for dmz to come inside
static (dmz,inside)  insideipadd webserverip netmask <mask>

this access -list is to permit the traffic from inside to dmz
access-list dmz2inside extended permit ip insideip mask host webserver eq www
tune this access-list depending on the requirement.

access-group <groupname> in interface <interface>

renil
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 
LVL 28

Expert Comment

by:batry_boy
ID: 20288425
Given that you have the proper licensing such that traffic flow initiated from dmz to inside isn't blocked in the first place, here are the only statements you need...

static (inside,dmz) sqlserver_ip sqlserver_ip netmask 255.255.255.255
access-list dmz_access_in permit tcp host webserver_ip host sqlserver_ip eq 1433
access-group dmz_access_in in interface dmz

Now, I'll explain each statement above.

The first one creates a static translation for the inside IP address of the SQL server such that it looks like the same IP address when communicating with the dmz network segment.

The second one adds an access rule that allows SQL traffic (typically TCP 1433) inbound from the web server's IP address in the dmz inbound to the SQL server's IP address on the inside network segment.  If you need to allow other ports besides this you can add more ACL statements, but 1433 is the typical SQL communications port.

The last statement applies that ACL inbound to the dmz interface.

If you want to allow all of IP from the web server to the SQL server, just change the above ACL statement that references TCP 1433 to this one:

access-list dmz_access_in permit ip host webserver_ip host sqlserver_ip

renil's ACL statement above is not accurate since it specifies "ip" (which implies all TCP and UDP ports) but also specifies a port (www)...I believe that was meant to read "tcp" instead of "ip".

My statements above also assume that you want to access the SQL server from the web server by the SQL server's real IP address on the inside.  If this is not the case, then just replace the first reference to "sqlserver_ip" in the static command above to be the IP address you want to use.  However, I recommend you perform the translation to the same IP address of the SQL server itself.
0
 

Author Comment

by:lockrows_ainsley
ID: 20295121
It looks like I might need to get the security plus bundle; let me cross that bridge and then I'll be able to use the above commands. I'll get back to you once I get that done. Thanks!
0
 
LVL 5

Expert Comment

by:renill
ID: 20296556
"access-list dmz2inside extended permit ip insideip mask host webserver eq www "
there is small typo.
access-list dmz2inside permit ip host insideip host webserver  
sorry for that ;)

renill

0
 

Author Closing Comment

by:lockrows_ainsley
ID: 31409235
I guess it didn't work simply because I don't have the proper licensing installed; thanks for the info!
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Shoretel QoS Configuration on Cisco Switches 9 43
Gateway Resilience 4 49
Cisco Router / Switch - NAT 10 37
Firewall report connections 8 23
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now