Solved

ASA 5505 blocking remote SQL connection

Posted on 2011-03-24
6
2,189 Views
1 Endorsement
Last Modified: 2012-06-27
We have a Cisco ASA 5505-50 onsite. Our users need to connect to a SQL database on another network using a VPN connection. This connection works fine from anywhere besides our inside network behind this firewall(ie. from home and coffee shops). IP is enabled for all inside traffic (outbound) and i tried opening TCP and UDP ports 1433 and 1434 on the outside interface but it didn't change anything. I feel it may be related to a fixup protocol but nothing is jumping out at me. I tried unchecking "SQLNET" in the inspection policy but again, no difference. Any idea what could be blocking our SQL connection? I can post the ASA config if needed but I was hoping to get an answer without having to do so.
1
Comment
Question by:DDI4U
  • 4
6 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 35209635
Eliminate blocked ports 1st.    This should be easily identifiable by watching the ASDM log or looking at a syslog for dropped packets on 1433 outbound.  

Look at the inspection policy, you can try  removing and re-enabling the sqlnet inspection.  

While on VPN, can you access the port on the remote host?   A quick nmap scan of the host will tell you if 1433 is open to you.  Is it?

0
 

Author Comment

by:DDI4U
ID: 35210687
I didn't try NMap but I am certain that it is not an ACL as I opened IP for a brief moment and it still wouldn't connect. Its puzzling that it will work elsewhere and only doesn't from this location. I enabled and disabled SQLNet, tried running NAT-traversal command, enabled ipsec-passthrough inspection, and nothing works. However performing the NAT-traversal command did get rid of "regular translation creation failed for protocol 50" that I was getting after a reload of the ASA. At this point the SQL connection still fails and there is nothing in the ASA log to present a place to start debugging. I have posted the ASA config as i am sure it will get to that point.


Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name domain.local
enable password W.oUsKiEpNzJ6VMx encrypted
passwd W.oUsKiEpNzJ6VMx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.50.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.111.111.111 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit gre any host 111.111.111.112
access-list outside_access_in extended permit tcp any host 111.111.111.112 eq smtp
access-list outside_access_in extended permit tcp any host 111.111.111.112 eq www
access-list outside_access_in extended permit tcp any host 111.111.111.112 eq https
access-list outside_access_in extended permit tcp any host 111.111.111.112 eq pptp
access-list DOMAIN_splitTunnelAcl standard permit 172.16.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.50.64 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_IP_Pool 172.16.50.70-172.16.50.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 111.111.111.112 172.16.50.14 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 111.111.111.110 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.16.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map inside_dyn_map 20 set pfs group5
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 172.16.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy GP1 internal
group-policy GP1 attributes
 dns-server value 172.16.50.14
 vpn-simultaneous-logins 10
 vpn-idle-timeout 120
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DOMAIN_splitTunnelAcl
 default-domain value domain.local
tunnel-group GP1 type ipsec-ra
tunnel-group GP1 general-attributes
 address-pool VPN_IP_Pool
 default-group-policy GP1
tunnel-group GP1 ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect dns
  inspect http
  inspect icmp
  inspect pptp
  inspect ftp
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect ipsec-pass-thru
  inspect sqlnet
!
service-policy global-policy global
prompt hostname context
Cryptochecksum:c62047f862e4d7c115c67cf51f7613f4
: end
0
 
LVL 2

Expert Comment

by:mwblsz
ID: 35218296
Our users need to connect to a SQL database on another network using a VPN connection?

so you need to vpn into another network first? If so, a VPN tunnel need to be set up between you ASA and the other network???

sincerely
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:DDI4U
ID: 35218496
so you need to vpn into another network first? If so, a VPN tunnel need to be set up between you ASA and the other network???

The users connect to the offsite network using the Cisco VPN client. This is not a point to point connection.

We have worked extensively to figure this issue out and in our testing we determined that the issue is not only with this ASA, the issue persists behind every other ASA firewall that we have access to as well. Connecting to this "trouble" network behind multiple ASA 5505 and 5510 firewalls gives results of not being able to ping or connect to any resources on the offsite network. This leads me to believe that the issue may be on the other end but its hard to give that as a final answer since the connection works fine behind any other firewall.
0
 

Accepted Solution

by:
DDI4U earned 0 total points
ID: 35235766
I think this is an issue with the other site's configuration thus this question should be closed. Thanks for your inputs.
0
 

Author Closing Comment

by:DDI4U
ID: 36220418
Issue is on the other end.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Introduction SQL Server Integration Services can read XML files, that’s known by every BI developer.  (If you didn’t, don’t worry, I’m aiming this article at newcomers as well.) But how far can you go?  When does the XML Source component become …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now