• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 753
  • Last Modified:

Need help setting up port forwarding on ASA 5510

I'm a newbie to Cisco environment so please be patient with me, thank you!
Here's the situation: we have a l2l VPN setup between 2 location. we want a specific server to come in and access our SQL server. so far we are able to access this server with no issues but our developer ran into an issue where from that server it is unable to communicate with our SQL server. It complain that port 1433 is being blocked by our firewall.

Server1 (10.66.66.1) - needs access to our SQL (10.60.60.1) server

If execute the following command would that allow our Server1 to talk to our SQL server? (I could be totally off)

static (inside,outside) tcp 10.66.66.1 1433 10.60.60.1 1433 netmask 255.255.255.255
access-list outside_access_in extended permit ip 10.66.66.1 255.255.255.192 host 10.60.60.1 255.255.255.0
access-group outside_access_in in interface outside

Thank you so much for your help!!!! Happy New Year everyone!!!
0
golowai
Asked:
golowai
  • 4
  • 3
  • 2
1 Solution
 
sudeep_mibCommented:
I have modified natting rule. Hope it will help


static (inside,outside) tcp 10.66.66.1  0 10.60.60.1 1433 netmask 255.255.255.255
access-list outside_access_in extended permit ip 10.66.66.1 255.255.255.192 host 10.60.60.1 255.255.255.0
access-group outside_access_in in interface outside


Regards
Sudip Patil
0
 
sudeep_mibCommented:
0
 
sudeep_mibCommented:
Your are able to access your SQL server but you are not able to access 1433 port . It means it could be access-list issue.

Add the access list to allow the port 1433.

0
Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

 
rsivanandanCommented:
Since it is an L2L VPN, you do not need static entries. All traffic/including protocol and port are governed by the access-list used by the VPN to trigger. So you may want to check that, if you need help then please post a sanitized configuration here.

Cheers,
rsivanandan
0
 
golowaiAuthor Commented:
sudeep_mib: how do i add access list to allow the port 1433? thanks
0
 
rsivanandanCommented:
LOL ? You accepted the answer though!

Cheers,
rsivanandan
0
 
golowaiAuthor Commented:
LOL I know...I thought this should work.
0
 
sudeep_mibCommented:
Pls put your config here so that i can tell you what access-list you need to add

0
 
golowaiAuthor Commented:
here it is.
ASA Version 7.2(4) 
!
hostname FW01
domain-name robson.local
enable password  encrypted
passwd  encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 10.60.60.99 255.255.255.0 
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address x.x.x.43 255.255.255.248 
!
interface Ethernet0/2
 nameif services_dmz
 security-level 0
 ip address x.x.x.1 255.255.255.0 
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
banner motd ---------------------------------------------
banner motd |                                           |
banner motd |   If you are not an authorized admin      |
banner motd |   please disconnect immediately. This     |
banner motd |  system is currently being logged and     |
banner motd |   monitored. Tampering will result in     |
banner motd |   punishment in accordance with local,    |
banner motd |   state, and government enforced laws.    |
banner motd |                                           |
banner motd |                                           |
banner motd ---------------------------------------------
boot system disk0:/asa724-k8.bin

ftp mode passive
clock timezone est -4
dns server-group DefaultDNS
 domain-name robson.local
same-security-traffic permit intra-interface

access-list inside_access_out extended permit tcp any any eq www 
access-list inside_access_out extended permit tcp any any eq https 
access-list inside_access_out extended permit icmp any any 
access-list inside_access_out extended permit tcp any any eq citrix-ica 
access-list inside_access_out extended permit tcp any any eq 2598 
access-list inside_access_out extended permit tcp any any eq domain 
access-list inside_access_out extended permit udp any any eq domain 
access-list inside_access_out extended permit tcp any any eq ftp 

access-list inside_access_out extended permit udp any any eq ntp 
access-list inside_access_out extended permit tcp any any eq 1935 
access-list inside_access_out extended permit tcp any any eq 445 
access-list inside_access_out extended permit gre any any 
access-list inside_access_out extended permit esp any any 
access-list inside_access_out extended permit udp any any eq isakmp 
access-list inside_access_out extended permit udp any any eq 4500 
access-list inside_access_out extended permit tcp any any eq 123 
access-list inside_access_out extended permit ip 10.60.60.0 255.255.255.0 any 
access-list inside_access_out extended permit ip any any 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp any host x.x.x.43 eq 64777 
access-list outside_access_in extended permit ip 10.60.65.0 255.255.255.0 10.60.60.0 255.255.255.0 
access-list outside_access_in extended permit ip 10.66.66.0 255.255.255.0 any 
access-list outside_access_in extended permit ip 10.66.66.0 255.255.255.192 10.66.166.0 255.255.255.240 
access-list services_dmz extended permit icmp any any 
access-list services_dmz extended permit ip any host x.x.x.97 
access-list services_dmz extended permit ip any host x.x.x.98 
access-list webvpn_acl standard permit 10.60.65.0 255.255.255.0 
access-list webvpn_acl standard permit 10.60.60.0 255.255.255.0 

access-list nonat extended permit ip 10.60.65.0 255.255.255.0 10.60.60.0 255.255.255.0 
access-list nonat extended permit ip 10.60.60.0 255.255.255.0 10.60.65.0 255.255.255.0 
access-list lime_nat extended permit ip any 10.66.66.0 255.255.255.192 
access-list lime_vpn extended permit ip 10.66.166.0 255.255.255.240 10.66.66.0 255.255.255.192 
access-list lime_vpn extended permit ip 10.66.66.0 255.255.255.192 10.66.166.0 255.255.255.240 
access-list reuters extended permit ip any host x.x.x.97 
access-list reuters extended permit ip any host x.x.x.98 
access-list outside_nat_outbound extended permit ip 10.66.66.0 255.255.255.192 10.66.166.0 255.255.255.240 
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging asdm informational
logging device-id context-name
logging host inside 10.60.60.20
logging host inside 10.60.60.111
mtu inside 1500
mtu outside 1500
mtu services_dmz 1500
mtu management 1500
ip local pool webvpn_pool 10.60.65.1-10.60.65.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 3 10.66.166.5-10.66.166.10
global (outside) 1 interface
global (outside) 3 10.66.166.4
global (services_dmz) 5 x.x.x.225
nat (inside) 0 access-list nonat
nat (inside) 3 access-list lime_nat
nat (inside) 5 access-list services_dmz
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 3 access-list outside_nat_outbound
static (inside,outside) tcp interface 64777 10.60.60.20 3389 netmask 255.255.255.255 
static (inside,services_dmz) x.x.x.226 10.60.60.100 netmask 255.255.255.255 
access-group inside_access_out in interface inside
access-group outside_access_in in interface outside
access-group services_dmz in interface services_dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.41 1
route services_dmz x.x.x.97 255.255.255.255 x.x.x.5 1
route services_dmz x.x.x.98 255.255.255.255 x.x.x.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.60.98.0 255.255.255.0 inside
http 10.60.60.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac 
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac 
crypto dynamic-map dynmap 65535 set transform-set 3des-sha
crypto dynamic-map dynmap 65535 set security-association lifetime seconds 86400
crypto map vpn 5 match address lime_vpn
crypto map vpn 5 set pfs 
crypto map vpn 5 set peer x.x.x.220 
crypto map vpn 5 set transform-set 3des-sha
crypto map vpn 65535 ipsec-isakmp dynamic dynmap
crypto map vpn interface outside
crypto isakmp identity hostname 
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 15
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
crypto isakmp am-disable
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-sessiondb max-session-limit 250
telnet 10.60.0.0 255.255.0.0 inside
telnet 10.60.98.0 255.255.255.0 inside
telnet 10.60.240.0 255.255.240.0 inside
telnet 10.60.60.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
ntp server x.x.x.18

webvpn
 enable outside
 default-idle-timeout 300
 svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
 svc enable
 customization DfltCustomization
    logo none
group-policy WebVPN internal
group-policy WebVPN attributes
 dns-server value 10.60.60.20 198.6.1.6
 vpn-tunnel-protocol webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value webvpn_acl
 default-domain value segcap.com
 webvpn
  svc required
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl

tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool webvpn_pool
 default-group-policy WebVPN
tunnel-group x.x.x.220 type ipsec-l2l
tunnel-group x.x.x.220 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect pptp 
!
service-policy global_policy global
prompt hostname context 
compression svc
Cryptochecksum:
: end

Open in new window

0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now