Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Can I direct traffic from server in DMZ to Inside interface?

Posted on 2007-11-14
7
Medium Priority
?
274 Views
Last Modified: 2011-09-20
I have a Cisco ASA 5505 and am setting Inside, Outside and DMZ interfaces. One of the webservers in my DMZ zone is going to be making requests to a SQL server on my inside zone. Is that possible and if so, how do I set up the ASA 5505 to do this?

I have toyed around with setting this up and either can't find documentation on it or attempts to try it have ended up in failure.

Help!
0
Comment
Question by:lockrows_ainsley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20284971
  Hi lockrows_ainsley
        I recommend an exempt NAT for your SQL server. Translations may affect the SQL traffic.
        nat (DMZ) 0 webserverip 255.255.255.255
or
       access-list DMZ_CNat permit ip host webserver host sqlserver
       nat (DMZ) 0 access-list DMZ_CNat

Regards

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 750 total points
ID: 20285905
Do you have a base license or security plus license?  With the base license, the ASA operates in a restricted DMZ mode where traffic from that interface can only be initiated to one of the other interfaces, not both...just something to think about.
0
 
LVL 5

Expert Comment

by:renill
ID: 20287721
This is the translation rule for dmz to come inside
static (dmz,inside)  insideipadd webserverip netmask <mask>

this access -list is to permit the traffic from inside to dmz
access-list dmz2inside extended permit ip insideip mask host webserver eq www
tune this access-list depending on the requirement.

access-group <groupname> in interface <interface>

renil
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 
LVL 28

Expert Comment

by:batry_boy
ID: 20288425
Given that you have the proper licensing such that traffic flow initiated from dmz to inside isn't blocked in the first place, here are the only statements you need...

static (inside,dmz) sqlserver_ip sqlserver_ip netmask 255.255.255.255
access-list dmz_access_in permit tcp host webserver_ip host sqlserver_ip eq 1433
access-group dmz_access_in in interface dmz

Now, I'll explain each statement above.

The first one creates a static translation for the inside IP address of the SQL server such that it looks like the same IP address when communicating with the dmz network segment.

The second one adds an access rule that allows SQL traffic (typically TCP 1433) inbound from the web server's IP address in the dmz inbound to the SQL server's IP address on the inside network segment.  If you need to allow other ports besides this you can add more ACL statements, but 1433 is the typical SQL communications port.

The last statement applies that ACL inbound to the dmz interface.

If you want to allow all of IP from the web server to the SQL server, just change the above ACL statement that references TCP 1433 to this one:

access-list dmz_access_in permit ip host webserver_ip host sqlserver_ip

renil's ACL statement above is not accurate since it specifies "ip" (which implies all TCP and UDP ports) but also specifies a port (www)...I believe that was meant to read "tcp" instead of "ip".

My statements above also assume that you want to access the SQL server from the web server by the SQL server's real IP address on the inside.  If this is not the case, then just replace the first reference to "sqlserver_ip" in the static command above to be the IP address you want to use.  However, I recommend you perform the translation to the same IP address of the SQL server itself.
0
 

Author Comment

by:lockrows_ainsley
ID: 20295121
It looks like I might need to get the security plus bundle; let me cross that bridge and then I'll be able to use the above commands. I'll get back to you once I get that done. Thanks!
0
 
LVL 5

Expert Comment

by:renill
ID: 20296556
"access-list dmz2inside extended permit ip insideip mask host webserver eq www "
there is small typo.
access-list dmz2inside permit ip host insideip host webserver  
sorry for that ;)

renill

0
 

Author Closing Comment

by:lockrows_ainsley
ID: 31409235
I guess it didn't work simply because I don't have the proper licensing installed; thanks for the info!
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question