Solved

ASA 5505 blocking remote SQL connection

Posted on 2011-03-24
6
2,322 Views
1 Endorsement
Last Modified: 2012-06-27
We have a Cisco ASA 5505-50 onsite. Our users need to connect to a SQL database on another network using a VPN connection. This connection works fine from anywhere besides our inside network behind this firewall(ie. from home and coffee shops). IP is enabled for all inside traffic (outbound) and i tried opening TCP and UDP ports 1433 and 1434 on the outside interface but it didn't change anything. I feel it may be related to a fixup protocol but nothing is jumping out at me. I tried unchecking "SQLNET" in the inspection policy but again, no difference. Any idea what could be blocking our SQL connection? I can post the ASA config if needed but I was hoping to get an answer without having to do so.
1
Comment
Question by:DDI4U
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 35209635
Eliminate blocked ports 1st.    This should be easily identifiable by watching the ASDM log or looking at a syslog for dropped packets on 1433 outbound.  

Look at the inspection policy, you can try  removing and re-enabling the sqlnet inspection.  

While on VPN, can you access the port on the remote host?   A quick nmap scan of the host will tell you if 1433 is open to you.  Is it?

0
 

Author Comment

by:DDI4U
ID: 35210687
I didn't try NMap but I am certain that it is not an ACL as I opened IP for a brief moment and it still wouldn't connect. Its puzzling that it will work elsewhere and only doesn't from this location. I enabled and disabled SQLNet, tried running NAT-traversal command, enabled ipsec-passthrough inspection, and nothing works. However performing the NAT-traversal command did get rid of "regular translation creation failed for protocol 50" that I was getting after a reload of the ASA. At this point the SQL connection still fails and there is nothing in the ASA log to present a place to start debugging. I have posted the ASA config as i am sure it will get to that point.


Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name domain.local
enable password W.oUsKiEpNzJ6VMx encrypted
passwd W.oUsKiEpNzJ6VMx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.50.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.111.111.111 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit gre any host 111.111.111.112
access-list outside_access_in extended permit tcp any host 111.111.111.112 eq smtp
access-list outside_access_in extended permit tcp any host 111.111.111.112 eq www
access-list outside_access_in extended permit tcp any host 111.111.111.112 eq https
access-list outside_access_in extended permit tcp any host 111.111.111.112 eq pptp
access-list DOMAIN_splitTunnelAcl standard permit 172.16.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.50.64 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_IP_Pool 172.16.50.70-172.16.50.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 111.111.111.112 172.16.50.14 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 111.111.111.110 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.16.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map inside_dyn_map 20 set pfs group5
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 172.16.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy GP1 internal
group-policy GP1 attributes
 dns-server value 172.16.50.14
 vpn-simultaneous-logins 10
 vpn-idle-timeout 120
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DOMAIN_splitTunnelAcl
 default-domain value domain.local
tunnel-group GP1 type ipsec-ra
tunnel-group GP1 general-attributes
 address-pool VPN_IP_Pool
 default-group-policy GP1
tunnel-group GP1 ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect dns
  inspect http
  inspect icmp
  inspect pptp
  inspect ftp
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect ipsec-pass-thru
  inspect sqlnet
!
service-policy global-policy global
prompt hostname context
Cryptochecksum:c62047f862e4d7c115c67cf51f7613f4
: end
0
 
LVL 2

Expert Comment

by:mwblsz
ID: 35218296
Our users need to connect to a SQL database on another network using a VPN connection?

so you need to vpn into another network first? If so, a VPN tunnel need to be set up between you ASA and the other network???

sincerely
0
Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

 

Author Comment

by:DDI4U
ID: 35218496
so you need to vpn into another network first? If so, a VPN tunnel need to be set up between you ASA and the other network???

The users connect to the offsite network using the Cisco VPN client. This is not a point to point connection.

We have worked extensively to figure this issue out and in our testing we determined that the issue is not only with this ASA, the issue persists behind every other ASA firewall that we have access to as well. Connecting to this "trouble" network behind multiple ASA 5505 and 5510 firewalls gives results of not being able to ping or connect to any resources on the offsite network. This leads me to believe that the issue may be on the other end but its hard to give that as a final answer since the connection works fine behind any other firewall.
0
 

Accepted Solution

by:
DDI4U earned 0 total points
ID: 35235766
I think this is an issue with the other site's configuration thus this question should be closed. Thanks for your inputs.
0
 

Author Closing Comment

by:DDI4U
ID: 36220418
Issue is on the other end.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Viewers will learn how the fundamental information of how to create a table.
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question