Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 276
  • Last Modified:

Can I direct traffic from server in DMZ to Inside interface?

I have a Cisco ASA 5505 and am setting Inside, Outside and DMZ interfaces. One of the webservers in my DMZ zone is going to be making requests to a SQL server on my inside zone. Is that possible and if so, how do I set up the ASA 5505 to do this?

I have toyed around with setting this up and either can't find documentation on it or attempts to try it have ended up in failure.

Help!
0
lockrows_ainsley
Asked:
lockrows_ainsley
  • 2
  • 2
  • 2
  • +1
1 Solution
 
Alan Huseyin KayahanCommented:
  Hi lockrows_ainsley
        I recommend an exempt NAT for your SQL server. Translations may affect the SQL traffic.
        nat (DMZ) 0 webserverip 255.255.255.255
or
       access-list DMZ_CNat permit ip host webserver host sqlserver
       nat (DMZ) 0 access-list DMZ_CNat

Regards

0
 
batry_boyCommented:
Do you have a base license or security plus license?  With the base license, the ASA operates in a restricted DMZ mode where traffic from that interface can only be initiated to one of the other interfaces, not both...just something to think about.
0
 
renillCommented:
This is the translation rule for dmz to come inside
static (dmz,inside)  insideipadd webserverip netmask <mask>

this access -list is to permit the traffic from inside to dmz
access-list dmz2inside extended permit ip insideip mask host webserver eq www
tune this access-list depending on the requirement.

access-group <groupname> in interface <interface>

renil
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
batry_boyCommented:
Given that you have the proper licensing such that traffic flow initiated from dmz to inside isn't blocked in the first place, here are the only statements you need...

static (inside,dmz) sqlserver_ip sqlserver_ip netmask 255.255.255.255
access-list dmz_access_in permit tcp host webserver_ip host sqlserver_ip eq 1433
access-group dmz_access_in in interface dmz

Now, I'll explain each statement above.

The first one creates a static translation for the inside IP address of the SQL server such that it looks like the same IP address when communicating with the dmz network segment.

The second one adds an access rule that allows SQL traffic (typically TCP 1433) inbound from the web server's IP address in the dmz inbound to the SQL server's IP address on the inside network segment.  If you need to allow other ports besides this you can add more ACL statements, but 1433 is the typical SQL communications port.

The last statement applies that ACL inbound to the dmz interface.

If you want to allow all of IP from the web server to the SQL server, just change the above ACL statement that references TCP 1433 to this one:

access-list dmz_access_in permit ip host webserver_ip host sqlserver_ip

renil's ACL statement above is not accurate since it specifies "ip" (which implies all TCP and UDP ports) but also specifies a port (www)...I believe that was meant to read "tcp" instead of "ip".

My statements above also assume that you want to access the SQL server from the web server by the SQL server's real IP address on the inside.  If this is not the case, then just replace the first reference to "sqlserver_ip" in the static command above to be the IP address you want to use.  However, I recommend you perform the translation to the same IP address of the SQL server itself.
0
 
lockrows_ainsleyAuthor Commented:
It looks like I might need to get the security plus bundle; let me cross that bridge and then I'll be able to use the above commands. I'll get back to you once I get that done. Thanks!
0
 
renillCommented:
"access-list dmz2inside extended permit ip insideip mask host webserver eq www "
there is small typo.
access-list dmz2inside permit ip host insideip host webserver  
sorry for that ;)

renill

0
 
lockrows_ainsleyAuthor Commented:
I guess it didn't work simply because I don't have the proper licensing installed; thanks for the info!
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now