Solved

Connect to SQL from outside after ASA5550

Posted on 2011-02-11
6
608 Views
Last Modified: 2012-05-11
Hello
Please I have SQL 2800 DATABASE and it’s on windows server 2008 this server is behind ASA5550. Please I made static NAT  for server but I cannot connect to database

Below my ASA configuration

Server  network information
IP address 172.16.0.201
Mask 255.255.255.0
Gateway 172.16.0.1
DNS 172.16.0.201

Any help
Regards



ASA Version 7.2(3)                  
! 
hostname ciscoasa                 
enable password X.y0JGA9o6phmjQ6 encrypted                                          
names     
! 
interface Ethernet0/0                     
 nameif outside               
 security-level 0                 
 ip address 82.205.240.98 255.255.255.224                                         
! 
interface Ethernet0/1                     
 nameif inside              
 security-level 100                   
 ip address 172.16.0.1 255.255.255.0                                    
! 
interface Ethernet0/2                     
 shutdown         
 no nameif          
 no security-level                  
 no ip address              
! 
interface Et          
 shutdown         
 no nameif          
 no security-level                  
 no ip address              
! 
interface Management0/0                       
 nameif management                  
 security-level 100                   
 ip address 192.168.1.1 255.255.255.0                                     
 management-only                
! 
passwd X.y0JGA9o6phmjQ6 encrypted                                 
ftp mode passive                
object-group service VSX8000_TCP tcp                                    
 port-object eq www                   
 port-object eq ldap                    
 port-object eq 1503                    
 port-object eq h323                    
 port-object eq 1731                    
object-group service VSX8000_TCPUDP tcp-udp                                           
 port-object range 3230 3239                            
object-group protocol TCP-UDP                             
 protocol-object tcp                    
 protocol-object udp                    
access-list INBOUND extended permit tcp any host 82.205.240.99 object-group VSX8                                                                                
000_TCP       
access-list INBOUND extended permit object-group TCP-UDP any host 82.205.240.99                                                                               
object-group VSX8000_TCPUDP                           
pager lines 24              
logging asdm informational                          
mtu outside 1500                
mtu inside 1500               
mtu management 1500                   
icmp unreachable rate-limit 1 burst-size 1                                          
no asdm history enable                      
arp timeout 14400                 
global (outside) 1 interface                            
nat (inside) 1 0.0.0.0 0.0.0.0                              
static (inside,outside) 82.205.240.99 172.16.0.200 netmask 255.255.255.255 
static (inside,outside) 82.205.240.100 172.16.0.201 netmask 255.255.255.255                                                                          
access-group INBOUND in interface outside                                         
route outside 0.0.0.0 0.0.0.0 82.205.240.97 1                                             
timeout xlate 3:00:00                     
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                 
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                              
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                               
timeout uauth 0:05:00 absolute                              
http server enable                  
http 172.16.0.0 255.255.255.0 inside                                    
http 192.168.1.0 255.255.255.0 management                                         
no snmp-server location                       
no snmp-server contact                      
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                      
telnet 172.16.0.0 255.255.255.0 inside                                      
telnet timeout 5                
ssh timeout 5             
console timeout 0                 
dhcpd dns 172.16.0.2 82.205.224.9                                 
! 
dhcpd address 172.16.0.20-172.16.0.120 inside                                             
dhcpd enable inside                   
! 
dhcpd address 192.168.1.2-192.168.1.254 management                                                  
dhcpd enable management                       
! 
! 
class-map inspection_default                            
 match default-inspection-traffic                                 
! 
! 
policy-map type inspect dns preset_dns_map                                          
 parameters           
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
username nasem password M2PQQZooHuN7Zwvm encrypted privilege 15
prompt hostname context
Cryptochecksum:38eaa06b577debad47548ccd78b8d245

Open in new window

0
Comment
Question by:nasemabdullaa
  • 3
  • 2
6 Comments
 
LVL 4

Assisted Solution

by:CarlvanEijk
CarlvanEijk earned 200 total points
ID: 34870975
The quick and dirty way:
If you have a source address you are trying to connect from you can  add this ACL(replace xxx.xxx.xxx.xxx with the IP):
access-list INBOUND extended permit ip host xxx.xxx.xxx.xxx host 82.205.240.100

The better, more secure way is a bit more complicated.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 50 total points
ID: 34871006
I'm missing:

access-list INBOUND extended permit tcp any host 82.205.240.100 object-group VSX8000_TCP                                                              
access-list INBOUND extended permit object-group TCP-UDP any host 82.205.240.100 object-group VSX8000_TCPUDP


Because 82.205.240.100 points to the 172.16.0.201
0
 

Author Comment

by:nasemabdullaa
ID: 34871470
Hello

Thank you for your kind reply

Please you mean I need to add this command to my ASA
access-list INBOUND extended permit tcp any host 82.205.240.100 object-group VSX8000_TCP                                                              
access-list INBOUND extended permit object-group TCP-UDP any host 82.205.240.100 object-group VSX8000_TCPUDP


Regards
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34871492
Indeed.

82.205.240.100 points to the 172.16.0.201 which you said is the SQL server.
82.205.240.99 points to the 172.16.0.200 which is ?
0
 
LVL 4

Accepted Solution

by:
CarlvanEijk earned 200 total points
ID: 34871561
I gather that your SQL server internal IP address is 176.16.0.201?

it looks to like 82.205.240.99 is your polycom VC and those object groups are for the Video Conferencing protocols.

Add this line:
access-list INBOUND extended permit ip host xxx.xxx.xxx.xxx host 82.205.240.100
where xxx.xxx.xxx.xxx is the IP address of the server trying to connect to your SQl server.

If you want to open it to the world:
access-list INBOUND extended permit any any host 82.205.240.100

If you want to configure it for SQL service only, you will need to configure the object groups for SQL, like

object-group service SQL_PORTS tcp-udp
 port-object eq 1433
 port-object eq "some other ports depending on your configuration"

access-list INBOUND extended permit object-group TCP-UDP any host 82.205.240.100 object-group SQL_PORTS

see http://msdn.microsoft.com/en-us/library/cc646023.aspx#BKMK_ssde for details



0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34871591
CarlvanEijk is right there (I overlooked the ports :-~  )

So set up the right object group but use 82.205.240.100 in the accesslist insted of 82.205.240.99
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article I will describe the Backup & Restore method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question