DDI4U
asked on
ASA 5505 blocking remote SQL connection
We have a Cisco ASA 5505-50 onsite. Our users need to connect to a SQL database on another network using a VPN connection. This connection works fine from anywhere besides our inside network behind this firewall(ie. from home and coffee shops). IP is enabled for all inside traffic (outbound) and i tried opening TCP and UDP ports 1433 and 1434 on the outside interface but it didn't change anything. I feel it may be related to a fixup protocol but nothing is jumping out at me. I tried unchecking "SQLNET" in the inspection policy but again, no difference. Any idea what could be blocking our SQL connection? I can post the ASA config if needed but I was hoping to get an answer without having to do so.
ASKER
I didn't try NMap but I am certain that it is not an ACL as I opened IP for a brief moment and it still wouldn't connect. Its puzzling that it will work elsewhere and only doesn't from this location. I enabled and disabled SQLNet, tried running NAT-traversal command, enabled ipsec-passthrough inspection, and nothing works. However performing the NAT-traversal command did get rid of "regular translation creation failed for protocol 50" that I was getting after a reload of the ASA. At this point the SQL connection still fails and there is nothing in the ASA log to present a place to start debugging. I have posted the ASA config as i am sure it will get to that point.
Result of the command: "sh run"
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name domain.local
enable password W.oUsKiEpNzJ6VMx encrypted
passwd W.oUsKiEpNzJ6VMx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.50.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 111.111.111.111 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit gre any host 111.111.111.112
access-list outside_access_in extended permit tcp any host 111.111.111.112 eq smtp
access-list outside_access_in extended permit tcp any host 111.111.111.112 eq www
access-list outside_access_in extended permit tcp any host 111.111.111.112 eq https
access-list outside_access_in extended permit tcp any host 111.111.111.112 eq pptp
access-list DOMAIN_splitTunnelAcl standard permit 172.16.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.50.64 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_IP_Pool 172.16.50.70-172.16.50.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 111.111.111.112 172.16.50.14 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 111.111.111.110 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.16.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map inside_dyn_map 20 set pfs group5
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 172.16.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
group-policy GP1 internal
group-policy GP1 attributes
dns-server value 172.16.50.14
vpn-simultaneous-logins 10
vpn-idle-timeout 120
vpn-session-timeout none
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DOMAIN_splitTunnelAcl
default-domain value domain.local
tunnel-group GP1 type ipsec-ra
tunnel-group GP1 general-attributes
address-pool VPN_IP_Pool
default-group-policy GP1
tunnel-group GP1 ipsec-attributes
pre-shared-key *
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect dns
inspect http
inspect icmp
inspect pptp
inspect ftp
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sunrpc
inspect xdmcp
inspect ipsec-pass-thru
inspect sqlnet
!
service-policy global-policy global
prompt hostname context
Cryptochecksum:c62047f862e 4d7c115c67 cf51f7613f 4
: end
Result of the command: "sh run"
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name domain.local
enable password W.oUsKiEpNzJ6VMx encrypted
passwd W.oUsKiEpNzJ6VMx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.50.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 111.111.111.111 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit gre any host 111.111.111.112
access-list outside_access_in extended permit tcp any host 111.111.111.112 eq smtp
access-list outside_access_in extended permit tcp any host 111.111.111.112 eq www
access-list outside_access_in extended permit tcp any host 111.111.111.112 eq https
access-list outside_access_in extended permit tcp any host 111.111.111.112 eq pptp
access-list DOMAIN_splitTunnelAcl standard permit 172.16.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.50.64 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_IP_Pool 172.16.50.70-172.16.50.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 111.111.111.112 172.16.50.14 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 111.111.111.110 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.16.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map inside_dyn_map 20 set pfs group5
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 172.16.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
group-policy GP1 internal
group-policy GP1 attributes
dns-server value 172.16.50.14
vpn-simultaneous-logins 10
vpn-idle-timeout 120
vpn-session-timeout none
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DOMAIN_splitTunnelAcl
default-domain value domain.local
tunnel-group GP1 type ipsec-ra
tunnel-group GP1 general-attributes
address-pool VPN_IP_Pool
default-group-policy GP1
tunnel-group GP1 ipsec-attributes
pre-shared-key *
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect dns
inspect http
inspect icmp
inspect pptp
inspect ftp
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sunrpc
inspect xdmcp
inspect ipsec-pass-thru
inspect sqlnet
!
service-policy global-policy global
prompt hostname context
Cryptochecksum:c62047f862e
: end
Our users need to connect to a SQL database on another network using a VPN connection?
so you need to vpn into another network first? If so, a VPN tunnel need to be set up between you ASA and the other network???
sincerely
so you need to vpn into another network first? If so, a VPN tunnel need to be set up between you ASA and the other network???
sincerely
ASKER
so you need to vpn into another network first? If so, a VPN tunnel need to be set up between you ASA and the other network???
The users connect to the offsite network using the Cisco VPN client. This is not a point to point connection.
We have worked extensively to figure this issue out and in our testing we determined that the issue is not only with this ASA, the issue persists behind every other ASA firewall that we have access to as well. Connecting to this "trouble" network behind multiple ASA 5505 and 5510 firewalls gives results of not being able to ping or connect to any resources on the offsite network. This leads me to believe that the issue may be on the other end but its hard to give that as a final answer since the connection works fine behind any other firewall.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Issue is on the other end.
Look at the inspection policy, you can try removing and re-enabling the sqlnet inspection.
While on VPN, can you access the port on the remote host? A quick nmap scan of the host will tell you if 1433 is open to you. Is it?