nasemabdullaa
asked on
Connect to SQL server located after ASA 5550
Hello
I want to conect to SQL server from outside my network using public IP address
I try to made static NAT
static (inside,outside) 123.123.123.123 192.168.0.201 netmask 255.255.255.255
please what port I need to open and how I can do that in ASA 5550
Regards
I want to conect to SQL server from outside my network using public IP address
I try to made static NAT
static (inside,outside) 123.123.123.123 192.168.0.201 netmask 255.255.255.255
please what port I need to open and how I can do that in ASA 5550
Regards
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello EE
Thank you for your reply
please below my ASA configuration I add the command you send to me but I still can not connect to SQL
Any help
Regards
Thank you for your reply
please below my ASA configuration I add the command you send to me but I still can not connect to SQL
Any help
Regards
ciscoasa# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
enable password X.y0JGA9o6phmjQ6 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 123.123.123.123 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_in extended permit tcp any host 123.123.123.123 eq 1433
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 123.123.123.123 192.168.0.201 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.123.123.123 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username freedom password .ofNoJSVfLf2NGCy encrypted
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.3 123.123.123.123
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.0.20-192.168.0.120 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
!
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bd2017bbca97c17346420652e220e24d
: end
ciscoasa#
Does the sql server have the asa as default gateway? Does it have a firewall running?
ASKER
Hello
Yes, server IP configuration is
IP 192.168.0.201
mask 255.255.255.0
GW 192.168.0.1
DNS1 192.168.0.201
DNS2 123.123.123.123
No, I disable firewall
By the way now I connect one LAN card of server direct to public IP and I can connect from out side this mean I have problem in ASA
Regards
Regards
Yes, server IP configuration is
IP 192.168.0.201
mask 255.255.255.0
GW 192.168.0.1
DNS1 192.168.0.201
DNS2 123.123.123.123
No, I disable firewall
By the way now I connect one LAN card of server direct to public IP and I can connect from out side this mean I have problem in ASA
Regards
Regards
When you have a look at the logs on the asa when trying to connect, does it show anything?
ASKER
hello EE
Thank you for your reply
Please I try to use below command but also its not work
static (inside,outside) 123.123.123.123 192.168.0.201 netmask 255.255.255.255
access-list INBOUND extended permit ip host 192.168.0.201 host 123.123.123.123 object-group service SQL_PORTS tcp-udp
port-object eq 1433
access-list INBOUND extended permit object-group TCP-UDP any host 123.123.123.123 object-group SQL_PORTS
access-group INBOUND in interface outside
object-group protocol TCP-UDP
protocol-object tcp
protocol-object udp
Please its not work what I need to do the old command and new command not working
I attached the new configuration
Thank you for your reply
Please I try to use below command but also its not work
static (inside,outside) 123.123.123.123 192.168.0.201 netmask 255.255.255.255
access-list INBOUND extended permit ip host 192.168.0.201 host 123.123.123.123 object-group service SQL_PORTS tcp-udp
port-object eq 1433
access-list INBOUND extended permit object-group TCP-UDP any host 123.123.123.123 object-group SQL_PORTS
access-group INBOUND in interface outside
object-group protocol TCP-UDP
protocol-object tcp
protocol-object udp
Please its not work what I need to do the old command and new command not working
I attached the new configuration
ciscoasa# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
enable password X.y0JGA9o6phmjQ6 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 123.123.123.123 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
object-group service SQL_PORTS tcp-udp
port-object eq 1433
object-group protocol TCP-UDP
protocol-object tcp
protocol-object udp
access-list INBOUND extended permit ip host 192.168.0.201 host 123.123.123.123
access-list INBOUND extended permit object-group TCP-UDP any host123.123.123.123
object-group SQL_PORTS
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 123.123.123.123 192.168.0.201 netmask 255.255.255.255
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 123.123.123.123 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.3 123.123.123.123
!
dhcpd address 192.168.0.20-192.168.0.120 inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5647896427d5cfe562de83d5292cbf83
: end
ciscoasa#
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
One more thing. I asked a moderator to remove the configurations, because it is showing your public addresses and at the moment your SQL server seems to be very reachable on all ports (for me it is).
ASKER
Hello
Thank you for your reply
>>>Are you sure you can't connect? Because I can
you can enter because as I said in my previous comment that I connect the server direct to public IP address without ASA therefore you can connect . I do that because the user need to work and I do that temporary to enable user to work
below my configuration. Please try to connect now
Regards
Thank you for your reply
>>>Are you sure you can't connect? Because I can
you can enter because as I said in my previous comment that I connect the server direct to public IP address without ASA therefore you can connect . I do that because the user need to work and I do that temporary to enable user to work
below my configuration. Please try to connect now
Regards
ciscoasa# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
enable password X.y0JGA9o6phmjQ6 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 123.123.123.123 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_in extended permit tcp any host 123.123.123.123 eq 1433
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 123.123.123.123 192.168.0.201 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.123.123.123 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.3 123.123.123.123
!
dhcpd address 192.168.0.20-192.168.0.120 inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c23786ac44a5af92c24679e8f789e017
: end
ciscoasa#
ASKER
Please how I can see logs
ASKER
Dear EE
Please I install new ASA in second building and I install new SQL server but also I can not connect from outside
below my configuration.
Please any help
I use
static (inside,outside) 123.123.123.123 172.16.0.4 netmask 255.255.255.255
access-list outside_in extended permit tcp any host 123.123.123.123 eq 1433
access-group outside_in in interface outside
Please its not work now I have problem in two servers
any help
Please I install new ASA in second building and I install new SQL server but also I can not connect from outside
below my configuration.
Please any help
I use
static (inside,outside) 123.123.123.123 172.16.0.4 netmask 255.255.255.255
access-list outside_in extended permit tcp any host 123.123.123.123 eq 1433
access-group outside_in in interface outside
Please its not work now I have problem in two servers
any help
User Access Verification5.224.9
Password:
!
Type help or '?' for a list of available commands.
ciscoasa> enmanagement
Password: ************
dhcpd address 172.16
ciscoasa# sh run0 inside
: Saved
:
ASA Version 7.2(3)
dhcpd enable insi
!
hostname ciscoasa
!
!
class-map
enable password X.y0JGA9o6phmjQ6 encrypted
match default-inspection-traffic
names
!
interface Ethernet0/0olicy-map type inspec
nameif outside_map
security-level 0
pa
ip address 123.123.123.123 255.255.255.240um 512
policy
!a
interface Ethernet0/1
cl
nameif insidedefault
security-level 100 inspect dns preset
ip address 172.16.0.1 255.255.255.0 inspect ftp
inspect
!3
interface Ethernet0/2
inspect h323 r
shutdown
no nameif rsh
no security-leveltsp
no ip address
!
interface Et
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 123.123.123.123 172.16.0.4 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.123.123.123 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.16.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 172.16.0.3 82.205.224.9
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 172.16.0.20-172.16.0.120 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5cdefd5a41324c897da04eeefb54bcf6
: end
ciscoasa#
ASKER
Hello EE
Its work after I reset ASA to factory default
Regards
Its work after I reset ASA to factory default
Regards
Good! Glad you resolved it. Still strange why it wasn't working in the first place......
Thx for the points.
Thx for the points.
object network obj-192.168.0.201
host 192.168.0.201
nat (inside,outside) static 123.123.123.123
access-list outside_in extended permit tcp any host 192.168.0.201 eq 1433
access-group outside_in in interface outside
Seeing that these versions are used more and more, I thought I might add that :)