Solved

Connect to SQL server located after ASA 5550

Posted on 2011-09-09
15
1,138 Views
Last Modified: 2012-05-12
Hello
I want to conect to SQL server from outside my network using public IP address
I try to made static NAT

static (inside,outside) 123.123.123.123 192.168.0.201 netmask 255.255.255.255      
please what port I need to open and how I can do that in ASA 5550

Regards
0
Comment
Question by:nasemabdullaa
  • 7
  • 6
15 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 400 total points
ID: 36513155
Sql can run on a static port of 1433 usually,  but this depends on the 'flavor' of SQL you are using.   MySQL uses 3306 for example.  

Assuming you are using 1433, the Asa commands would look like this.  

access-list outside_in extended permit tcp any host 123.123.123.123 eq 1433
access-group outside_in in interface outside  



If you have any trouble with that, post a sanitized config from your ASA here.... thanks.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36514152
Can't add anything to the post of my esteemed fellow expert MikeKane, except for one thing. If you use version 8.3 or higher, it should be:

object network obj-192.168.0.201
host 192.168.0.201
nat (inside,outside) static 123.123.123.123

access-list outside_in extended permit tcp any host 192.168.0.201 eq 1433
access-group outside_in in interface outside


Seeing that these versions are used more and more, I thought I might add that :)
0
 

Author Comment

by:nasemabdullaa
ID: 36515890
Hello EE

Thank you for your reply
please below my ASA configuration I add the command you send to me but I still can not connect to SQL

Any help

Regards
ciscoasa# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
enable password X.y0JGA9o6phmjQ6 encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.224
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_in extended permit tcp any host 123.123.123.123 eq 1433
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 123.123.123.123 192.168.0.201 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.123.123.123 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username freedom password .ofNoJSVfLf2NGCy encrypted
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.3 123.123.123.123
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.0.20-192.168.0.120 inside
dhcpd enable inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
!
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bd2017bbca97c17346420652e220e24d
: end
ciscoasa#

Open in new window

0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36515955
Does the sql server have the asa as default gateway? Does it have a firewall running?
0
 

Author Comment

by:nasemabdullaa
ID: 36515958
Hello

Yes, server IP configuration is

IP 192.168.0.201
mask 255.255.255.0
GW 192.168.0.1
DNS1  192.168.0.201
DNS2  123.123.123.123

No, I disable firewall

By the way now I connect one LAN card of server direct to public IP and I can connect from out side this mean I have problem in ASA

Regards

Regards
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36515988
When you have a look at the logs on the asa when trying to connect, does it show anything?
0
 

Author Comment

by:nasemabdullaa
ID: 36516739
hello EE
Thank you for your reply
Please I try to use below command but also its not work
static (inside,outside) 123.123.123.123 192.168.0.201 netmask 255.255.255.255
access-list INBOUND extended permit ip host 192.168.0.201 host 123.123.123.123 object-group service SQL_PORTS tcp-udp
 port-object eq 1433
access-list INBOUND extended permit object-group TCP-UDP any host 123.123.123.123 object-group SQL_PORTS
access-group INBOUND in interface outside
object-group protocol TCP-UDP                            
 protocol-object tcp                    
 protocol-object udp                    


Please its not work what I need to do the old command and new command not working
I attached the new configuration
ciscoasa# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
enable password X.y0JGA9o6phmjQ6 encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.224
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
object-group service SQL_PORTS tcp-udp
 port-object eq 1433
object-group protocol TCP-UDP
 protocol-object tcp
 protocol-object udp
access-list INBOUND extended permit ip host 192.168.0.201 host 123.123.123.123
access-list INBOUND extended permit object-group TCP-UDP any host123.123.123.123
 object-group SQL_PORTS
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 123.123.123.123 192.168.0.201 netmask 255.255.255.255
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 123.123.123.123 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.3 123.123.123.123 
!
dhcpd address 192.168.0.20-192.168.0.120 inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5647896427d5cfe562de83d5292cbf83
: end
ciscoasa#

Open in new window

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 100 total points
ID: 36516918
First, let's put the access list back that was there before:
access-list outside_in extended permit tcp any host 123.123.123.123 eq 1433
access-group outside_in in interface outside


That should be ok.
Then look at the logs on the ASA when you try to connect to see if anything shows up there.

Are you sure you can't connect? Because I can..........
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36516925
One more thing. I asked a moderator to remove the configurations, because it is showing your public addresses and at the moment your SQL server seems to be very reachable on all ports (for me it is).
0
 

Author Comment

by:nasemabdullaa
ID: 36518003
Hello
Thank you for your reply
>>>Are you sure you can't connect? Because I can
you can enter because as I said in my previous comment that I connect the server direct to public IP address without ASA therefore you can connect . I do that because the user need to work and I do that temporary to enable user to work

below my configuration. Please try to connect now

Regards
ciscoasa# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
enable password X.y0JGA9o6phmjQ6 encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.224
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_in extended permit tcp any host 123.123.123.123 eq 1433
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 123.123.123.123 192.168.0.201 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.123.123.123 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.3 123.123.123.123
!
dhcpd address 192.168.0.20-192.168.0.120 inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c23786ac44a5af92c24679e8f789e017
: end
ciscoasa#

Open in new window

0
 

Author Comment

by:nasemabdullaa
ID: 36518020
Please how I can see logs
0
 

Author Comment

by:nasemabdullaa
ID: 36518622
Dear EE

Please I install new ASA in second building and I install new SQL server but also I can not connect from outside

below my configuration.

Please any help

I use
static (inside,outside) 123.123.123.123 172.16.0.4 netmask 255.255.255.255
access-list outside_in extended permit tcp any host 123.123.123.123 eq 1433
access-group outside_in in interface outside

Please its not work now I have problem in two servers

any help
User Access Verification5.224.9                 

Password:     
! 

Type help or '?' for a list of available commands.                                                 

ciscoasa> enmanagement  
Password: ************ 
dhcpd address 172.16
ciscoasa# sh run0 inside        
: Saved       
: 
ASA Version 7.2(3)
dhcpd enable insi
! 
hostname ciscoasa
! 
! 
class-map 
enable password X.y0JGA9o6phmjQ6 encrypted   
 match default-inspection-traffic     
names     
! 
interface Ethernet0/0olicy-map type inspec
 nameif outside_map           
 security-level 0             
 pa
 ip address 123.123.123.123 255.255.255.240um 512                            
policy
!a
interface Ethernet0/1                 
 cl
 nameif insidedefault       
 security-level 100 inspect dns preset
 ip address 172.16.0.1 255.255.255.0  inspect ftp             
  inspect
!3
interface Ethernet0/2    
  inspect h323 r
 shutdown         
 no nameif rsh      
 no security-leveltsp              

 no ip address              
! 
interface Et          
logging asdm informational                          
mtu management 1500                   
mtu outside 1500                
mtu inside 1500               
icmp unreachable rate-limit 1 burst-size 1                                          
no asdm history enable                      
arp timeout 14400                 
global (outside) 1 interface                            
nat (inside) 1 0.0.0.0 0.0.0.0                              
static (inside,outside) 123.123.123.123 172.16.0.4 netmask 255.255.255.255                                                                         
access-group outside_in in interface outside                                            
route outside 0.0.0.0 0.0.0.0 123.123.123.123 1                                             
timeout xlate 3:00:00                     
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                 
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                              
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                               
timeout uauth 0:05:00 absolute                              
http server enable                  
http 192.168.1.0 255.255                       
no snmp-server location                       
no snmp-server contact                      
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                      
telnet 172.16.0.0 255.255.255.0 inside                                      
telnet timeout 5                
ssh timeout 5             
console timeout 0                 
dhcpd dns 172.16.0.3 82.205.224.9                                 
! 
dhcpd address 192.168.1.2-192.168.1.254 management                                                  
dhcpd enable management                       
! 
dhcpd address 172.16.0.20-172.16.0.120 inside                                             
dhcpd enable inside                   
! 
! 
class-map inspection_default                            
 match default-inspection-traffic                                 
! 
! 
policy-map type inspect dns preset_dns_map                                      
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5cdefd5a41324c897da04eeefb54bcf6
: end
ciscoasa#

Open in new window

0
 

Author Comment

by:nasemabdullaa
ID: 36521015
Hello EE

Its work after I reset ASA to factory default

Regards
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36521168
Good! Glad you resolved it. Still strange why it wasn't working in the first place......

Thx for the points.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Email signature management is something that is often overlooked in many organizations or is simply not implemented effectively. Let's take a look at what methods are available for managing this important piece of corporate branding.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now