ASA 5505 blocking remote SQL connection

Posted on 2011-03-24
1 Endorsement
Last Modified: 2012-06-27
We have a Cisco ASA 5505-50 onsite. Our users need to connect to a SQL database on another network using a VPN connection. This connection works fine from anywhere besides our inside network behind this firewall(ie. from home and coffee shops). IP is enabled for all inside traffic (outbound) and i tried opening TCP and UDP ports 1433 and 1434 on the outside interface but it didn't change anything. I feel it may be related to a fixup protocol but nothing is jumping out at me. I tried unchecking "SQLNET" in the inspection policy but again, no difference. Any idea what could be blocking our SQL connection? I can post the ASA config if needed but I was hoping to get an answer without having to do so.
Question by:DDI4U
  • 4
LVL 33

Expert Comment

ID: 35209635
Eliminate blocked ports 1st.    This should be easily identifiable by watching the ASDM log or looking at a syslog for dropped packets on 1433 outbound.  

Look at the inspection policy, you can try  removing and re-enabling the sqlnet inspection.  

While on VPN, can you access the port on the remote host?   A quick nmap scan of the host will tell you if 1433 is open to you.  Is it?


Author Comment

ID: 35210687
I didn't try NMap but I am certain that it is not an ACL as I opened IP for a brief moment and it still wouldn't connect. Its puzzling that it will work elsewhere and only doesn't from this location. I enabled and disabled SQLNet, tried running NAT-traversal command, enabled ipsec-passthrough inspection, and nothing works. However performing the NAT-traversal command did get rid of "regular translation creation failed for protocol 50" that I was getting after a reload of the ASA. At this point the SQL connection still fails and there is nothing in the ASA log to present a place to start debugging. I have posted the ASA config as i am sure it will get to that point.

Result of the command: "sh run"

: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name domain.local
enable password W.oUsKiEpNzJ6VMx encrypted
passwd W.oUsKiEpNzJ6VMx encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit gre any host
access-list outside_access_in extended permit tcp any host eq smtp
access-list outside_access_in extended permit tcp any host eq www
access-list outside_access_in extended permit tcp any host eq https
access-list outside_access_in extended permit tcp any host eq pptp
access-list DOMAIN_splitTunnelAcl standard permit
access-list inside_nat0_outbound extended permit ip any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_IP_Pool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) netmask
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map inside_dyn_map 20 set pfs group5
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside

group-policy GP1 internal
group-policy GP1 attributes
 dns-server value
 vpn-simultaneous-logins 10
 vpn-idle-timeout 120
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DOMAIN_splitTunnelAcl
 default-domain value domain.local
tunnel-group GP1 type ipsec-ra
tunnel-group GP1 general-attributes
 address-pool VPN_IP_Pool
 default-group-policy GP1
tunnel-group GP1 ipsec-attributes
 pre-shared-key *
class-map global-class
 match default-inspection-traffic
policy-map global-policy
 class global-class
  inspect dns
  inspect http
  inspect icmp
  inspect pptp
  inspect ftp
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect ipsec-pass-thru
  inspect sqlnet
service-policy global-policy global
prompt hostname context
: end

Expert Comment

ID: 35218296
Our users need to connect to a SQL database on another network using a VPN connection?

so you need to vpn into another network first? If so, a VPN tunnel need to be set up between you ASA and the other network???

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.


Author Comment

ID: 35218496
so you need to vpn into another network first? If so, a VPN tunnel need to be set up between you ASA and the other network???

The users connect to the offsite network using the Cisco VPN client. This is not a point to point connection.

We have worked extensively to figure this issue out and in our testing we determined that the issue is not only with this ASA, the issue persists behind every other ASA firewall that we have access to as well. Connecting to this "trouble" network behind multiple ASA 5505 and 5510 firewalls gives results of not being able to ping or connect to any resources on the offsite network. This leads me to believe that the issue may be on the other end but its hard to give that as a final answer since the connection works fine behind any other firewall.

Accepted Solution

DDI4U earned 0 total points
ID: 35235766
I think this is an issue with the other site's configuration thus this question should be closed. Thanks for your inputs.

Author Closing Comment

ID: 36220418
Issue is on the other end.

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (…
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question