Solved

Connect to SQL from outside after ASA5550

Posted on 2011-02-11
6
604 Views
Last Modified: 2012-05-11
Hello
Please I have SQL 2800 DATABASE and it’s on windows server 2008 this server is behind ASA5550. Please I made static NAT  for server but I cannot connect to database

Below my ASA configuration

Server  network information
IP address 172.16.0.201
Mask 255.255.255.0
Gateway 172.16.0.1
DNS 172.16.0.201

Any help
Regards



ASA Version 7.2(3)                  
! 
hostname ciscoasa                 
enable password X.y0JGA9o6phmjQ6 encrypted                                          
names     
! 
interface Ethernet0/0                     
 nameif outside               
 security-level 0                 
 ip address 82.205.240.98 255.255.255.224                                         
! 
interface Ethernet0/1                     
 nameif inside              
 security-level 100                   
 ip address 172.16.0.1 255.255.255.0                                    
! 
interface Ethernet0/2                     
 shutdown         
 no nameif          
 no security-level                  
 no ip address              
! 
interface Et          
 shutdown         
 no nameif          
 no security-level                  
 no ip address              
! 
interface Management0/0                       
 nameif management                  
 security-level 100                   
 ip address 192.168.1.1 255.255.255.0                                     
 management-only                
! 
passwd X.y0JGA9o6phmjQ6 encrypted                                 
ftp mode passive                
object-group service VSX8000_TCP tcp                                    
 port-object eq www                   
 port-object eq ldap                    
 port-object eq 1503                    
 port-object eq h323                    
 port-object eq 1731                    
object-group service VSX8000_TCPUDP tcp-udp                                           
 port-object range 3230 3239                            
object-group protocol TCP-UDP                             
 protocol-object tcp                    
 protocol-object udp                    
access-list INBOUND extended permit tcp any host 82.205.240.99 object-group VSX8                                                                                
000_TCP       
access-list INBOUND extended permit object-group TCP-UDP any host 82.205.240.99                                                                               
object-group VSX8000_TCPUDP                           
pager lines 24              
logging asdm informational                          
mtu outside 1500                
mtu inside 1500               
mtu management 1500                   
icmp unreachable rate-limit 1 burst-size 1                                          
no asdm history enable                      
arp timeout 14400                 
global (outside) 1 interface                            
nat (inside) 1 0.0.0.0 0.0.0.0                              
static (inside,outside) 82.205.240.99 172.16.0.200 netmask 255.255.255.255 
static (inside,outside) 82.205.240.100 172.16.0.201 netmask 255.255.255.255                                                                          
access-group INBOUND in interface outside                                         
route outside 0.0.0.0 0.0.0.0 82.205.240.97 1                                             
timeout xlate 3:00:00                     
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                 
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                              
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                               
timeout uauth 0:05:00 absolute                              
http server enable                  
http 172.16.0.0 255.255.255.0 inside                                    
http 192.168.1.0 255.255.255.0 management                                         
no snmp-server location                       
no snmp-server contact                      
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                      
telnet 172.16.0.0 255.255.255.0 inside                                      
telnet timeout 5                
ssh timeout 5             
console timeout 0                 
dhcpd dns 172.16.0.2 82.205.224.9                                 
! 
dhcpd address 172.16.0.20-172.16.0.120 inside                                             
dhcpd enable inside                   
! 
dhcpd address 192.168.1.2-192.168.1.254 management                                                  
dhcpd enable management                       
! 
! 
class-map inspection_default                            
 match default-inspection-traffic                                 
! 
! 
policy-map type inspect dns preset_dns_map                                          
 parameters           
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
username nasem password M2PQQZooHuN7Zwvm encrypted privilege 15
prompt hostname context
Cryptochecksum:38eaa06b577debad47548ccd78b8d245

Open in new window

0
Comment
Question by:nasemabdullaa
  • 3
  • 2
6 Comments
 
LVL 4

Assisted Solution

by:CarlvanEijk
CarlvanEijk earned 200 total points
Comment Utility
The quick and dirty way:
If you have a source address you are trying to connect from you can  add this ACL(replace xxx.xxx.xxx.xxx with the IP):
access-list INBOUND extended permit ip host xxx.xxx.xxx.xxx host 82.205.240.100

The better, more secure way is a bit more complicated.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 50 total points
Comment Utility
I'm missing:

access-list INBOUND extended permit tcp any host 82.205.240.100 object-group VSX8000_TCP                                                              
access-list INBOUND extended permit object-group TCP-UDP any host 82.205.240.100 object-group VSX8000_TCPUDP


Because 82.205.240.100 points to the 172.16.0.201
0
 

Author Comment

by:nasemabdullaa
Comment Utility
Hello

Thank you for your kind reply

Please you mean I need to add this command to my ASA
access-list INBOUND extended permit tcp any host 82.205.240.100 object-group VSX8000_TCP                                                              
access-list INBOUND extended permit object-group TCP-UDP any host 82.205.240.100 object-group VSX8000_TCPUDP


Regards
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Indeed.

82.205.240.100 points to the 172.16.0.201 which you said is the SQL server.
82.205.240.99 points to the 172.16.0.200 which is ?
0
 
LVL 4

Accepted Solution

by:
CarlvanEijk earned 200 total points
Comment Utility
I gather that your SQL server internal IP address is 176.16.0.201?

it looks to like 82.205.240.99 is your polycom VC and those object groups are for the Video Conferencing protocols.

Add this line:
access-list INBOUND extended permit ip host xxx.xxx.xxx.xxx host 82.205.240.100
where xxx.xxx.xxx.xxx is the IP address of the server trying to connect to your SQl server.

If you want to open it to the world:
access-list INBOUND extended permit any any host 82.205.240.100

If you want to configure it for SQL service only, you will need to configure the object groups for SQL, like

object-group service SQL_PORTS tcp-udp
 port-object eq 1433
 port-object eq "some other ports depending on your configuration"

access-list INBOUND extended permit object-group TCP-UDP any host 82.205.240.100 object-group SQL_PORTS

see http://msdn.microsoft.com/en-us/library/cc646023.aspx#BKMK_ssde for details



0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
CarlvanEijk is right there (I overlooked the ports :-~  )

So set up the right object group but use 82.205.240.100 in the accesslist insted of 82.205.240.99
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Occasionally there is a need to clean table columns, especially if you have inherited legacy data. There are obviously many ways to accomplish that, including elaborate UPDATE queries with anywhere from one to numerous REPLACE functions (even within…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now