?
Solved

Cisco ASA 8.2 Enable SQL Services Across Two Subnets

Posted on 2012-04-10
8
Medium Priority
?
646 Views
Last Modified: 2012-11-09
Hello,

I have been forced by unforeseen circumstances to move from a Watchguard to a Cisco ASA 5510 at my client's site.  They have an onsite webserver that has traditionally been on a separate subnet (192.168.2.40) while the SQL server lives on the main LAN (192.168.27.5).

The issue is that I need to allow SQL traffic from 192.168.2.40 (webserver) - 192.168.27.5 (sqlserver).  The only ports I want open are 1433-1434 (all other traffic should be locked down).  The webserver also needs to receive traffic from the outside world on ports 80 and 443, but I have that piece working.

Here are pertinent pieces of the config:

//START CONFIG
!
interface Ethernet0/0
 nameif outsideworld
 security-level 0
 ip address 199.42.47.58 255.255.255.248
!
interface Ethernet0/1
 nameif insidetrack
 security-level 100
 ip address 192.168.27.254 255.255.255.0
!
interface Ethernet0/2
 nameif WebsiteDMZ
 security-level 1
 ip address 192.168.2.1 255.255.255.0
!
global (outsideworld) 101 199.42.47.59-199.42.47.62 netmask 255.255.255.248
!
static (WebsiteDMZ,outsideworld) tcp 199.42.47.59 www 192.168.2.40 www netmask 255.255.255.255
static (WebsiteDMZ,outsideworld) tcp 199.42.47.59 https 192.168.2.40 https netmask 255.255.255.255
//END CONFIG

Please assist.
KMT
0
Comment
Question by:kmt333
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 17

Assisted Solution

by:surbabu140977
surbabu140977 earned 501 total points
ID: 37832245
You have to nat the inside network to the DMZ network and then create an ACL to permit the traffic from a lower security level to a higher security level.

static(insidetrack,WebsiteDMZ) 192.168.27.0 192.168.27.0 netmask 255.255.255.0
access-list DMZ permit tcp 192.168.2.0 255.255.255.0 192.168.27.0 255.255.255.0 range 1433 1434
access-group DMZ in interface WebsiteDMZ

permit udp too  since I am not sure what SQL uses.

Best,
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 37832299
btw, you need to have security plus feature to use DMZ interface from both inside and outside. Else, only one works.

Best,
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 37832303
(at any given time).
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 12

Assisted Solution

by:ryan80
ryan80 earned 999 total points
ID: 37832491
surbabu, that is not correct with the 5510. The 5505 has that limitation but not on a 5510 and higher.

Also personally I wouldnt NAT the inside to the DMZ, I would leave the IPs as original. I would just apply those access lists, but with some modifications. You can limit it to just those two hosts, and the access list should be applied to the inside interface.

access-list insidetrack_ACL extended permit tcp host 192.168.2.40 host 192.168.27.5 range 1433 1434
access-group insidetrack_ACL in interface insidetrack
0
 
LVL 4

Author Comment

by:kmt333
ID: 38059672
I know it's been a while, but...

I've added the items below:

//NAT RULES//

static (insidetrack,webdmz) tcp 192.168.2.40 1433 192.168.27.5 1433 netmask 255.255.255.255
static (insidetrack,webdmz) tcp 192.168.2.40 1434 192.168.27.5 1434 netmask 255.255.255.255
static (insidetrack,webdmz) tcp 192.168.2.40 64376 192.168.27.5 64376 netmask 255.255.255.255
static (insidetrack,webdmz) tcp 192.168.2.40 64377 192.168.27.5 64377 netmask 255.255.255.255
static (insidetrack,webdmz) udp 192.168.2.40 1434 192.168.27.5 1434 netmask 255.255.255.255

//ACCESS RULES//

access-list webdmz_access_in extended permit ip any any

access-list insidetrack_access_in extended permit ip any any
access-list insidetrack_access_in extended permit tcp host 192.168.2.40 host 192.168.27.5 range 64376 64377
access-list insidetrack_access_in extended permit udp host 192.168.2.40 host 192.168.27.5 1434
access-list insidetrack_access_in extended permit tcp host 192.168.2.40 host 192.168.27.5 range 1433 1434

However, I still get the following error.  It appears to be the webdmz interface that is dropping the connection.  In my brain (which is clearly incorrect), this means that the server at 192.168.2.40 should be able to access the server at 192.168.27.5 on ports 1433 - 1434 and 64376 - 64377.  However, I see the following in the log when I put the router in place with this configuration.

 

//ERROR//

Inbound TCP connection denied from 192.168.2.40/1651 to 192.168.27.5/1434 flags SYN  on interface webdmz

Thanks,
KMT
0
 
LVL 12

Accepted Solution

by:
ryan80 earned 999 total points
ID: 38062342
just to be sure, you also applied the access list to the interface correct?
0
 
LVL 4

Author Comment

by:kmt333
ID: 38299042
hi all, just an update on this: we've gotten Cisco involved.  I will update you as soon as I know more.
0
 
LVL 4

Author Closing Comment

by:kmt333
ID: 38585818
Thanks all,

In the end, the Cisco techs added the following to the config:

static (insidetrack,webdmz) tcp 192.168.27.0 1433 192.168.27.0 1433 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 1434 192.168.27.0 1434 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 64376 192.168.27.0 64376 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 64377 192.168.27.0 64377 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 1433 192.168.27.0 1433 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 1434 192.168.27.0 1434 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 64376 192.168.27.0 64376 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 64377 192.168.27.0 64377 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 domain 192.168.27.0 domain netmask 255.255.255.0

it basically maps the inside interface to the webdmz.  I don'tunderstand it, but it works.
KMT
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question