Solved

Can I direct traffic from server in DMZ to Inside interface?

Posted on 2007-11-14
7
271 Views
Last Modified: 2011-09-20
I have a Cisco ASA 5505 and am setting Inside, Outside and DMZ interfaces. One of the webservers in my DMZ zone is going to be making requests to a SQL server on my inside zone. Is that possible and if so, how do I set up the ASA 5505 to do this?

I have toyed around with setting this up and either can't find documentation on it or attempts to try it have ended up in failure.

Help!
0
Comment
Question by:lockrows_ainsley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20284971
  Hi lockrows_ainsley
        I recommend an exempt NAT for your SQL server. Translations may affect the SQL traffic.
        nat (DMZ) 0 webserverip 255.255.255.255
or
       access-list DMZ_CNat permit ip host webserver host sqlserver
       nat (DMZ) 0 access-list DMZ_CNat

Regards

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 20285905
Do you have a base license or security plus license?  With the base license, the ASA operates in a restricted DMZ mode where traffic from that interface can only be initiated to one of the other interfaces, not both...just something to think about.
0
 
LVL 5

Expert Comment

by:renill
ID: 20287721
This is the translation rule for dmz to come inside
static (dmz,inside)  insideipadd webserverip netmask <mask>

this access -list is to permit the traffic from inside to dmz
access-list dmz2inside extended permit ip insideip mask host webserver eq www
tune this access-list depending on the requirement.

access-group <groupname> in interface <interface>

renil
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 28

Expert Comment

by:batry_boy
ID: 20288425
Given that you have the proper licensing such that traffic flow initiated from dmz to inside isn't blocked in the first place, here are the only statements you need...

static (inside,dmz) sqlserver_ip sqlserver_ip netmask 255.255.255.255
access-list dmz_access_in permit tcp host webserver_ip host sqlserver_ip eq 1433
access-group dmz_access_in in interface dmz

Now, I'll explain each statement above.

The first one creates a static translation for the inside IP address of the SQL server such that it looks like the same IP address when communicating with the dmz network segment.

The second one adds an access rule that allows SQL traffic (typically TCP 1433) inbound from the web server's IP address in the dmz inbound to the SQL server's IP address on the inside network segment.  If you need to allow other ports besides this you can add more ACL statements, but 1433 is the typical SQL communications port.

The last statement applies that ACL inbound to the dmz interface.

If you want to allow all of IP from the web server to the SQL server, just change the above ACL statement that references TCP 1433 to this one:

access-list dmz_access_in permit ip host webserver_ip host sqlserver_ip

renil's ACL statement above is not accurate since it specifies "ip" (which implies all TCP and UDP ports) but also specifies a port (www)...I believe that was meant to read "tcp" instead of "ip".

My statements above also assume that you want to access the SQL server from the web server by the SQL server's real IP address on the inside.  If this is not the case, then just replace the first reference to "sqlserver_ip" in the static command above to be the IP address you want to use.  However, I recommend you perform the translation to the same IP address of the SQL server itself.
0
 

Author Comment

by:lockrows_ainsley
ID: 20295121
It looks like I might need to get the security plus bundle; let me cross that bridge and then I'll be able to use the above commands. I'll get back to you once I get that done. Thanks!
0
 
LVL 5

Expert Comment

by:renill
ID: 20296556
"access-list dmz2inside extended permit ip insideip mask host webserver eq www "
there is small typo.
access-list dmz2inside permit ip host insideip host webserver  
sorry for that ;)

renill

0
 

Author Closing Comment

by:lockrows_ainsley
ID: 31409235
I guess it didn't work simply because I don't have the proper licensing installed; thanks for the info!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA ISP failover 3 29
decoding the error message TEI_ASSIGNED 8 82
migrate cisco cat configs 3 29
Auto Qos question 1 20
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question