Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco ASA 8.2 Enable SQL Services Across Two Subnets

Posted on 2012-04-10
8
Medium Priority
?
652 Views
Last Modified: 2012-11-09
Hello,

I have been forced by unforeseen circumstances to move from a Watchguard to a Cisco ASA 5510 at my client's site.  They have an onsite webserver that has traditionally been on a separate subnet (192.168.2.40) while the SQL server lives on the main LAN (192.168.27.5).

The issue is that I need to allow SQL traffic from 192.168.2.40 (webserver) - 192.168.27.5 (sqlserver).  The only ports I want open are 1433-1434 (all other traffic should be locked down).  The webserver also needs to receive traffic from the outside world on ports 80 and 443, but I have that piece working.

Here are pertinent pieces of the config:

//START CONFIG
!
interface Ethernet0/0
 nameif outsideworld
 security-level 0
 ip address 199.42.47.58 255.255.255.248
!
interface Ethernet0/1
 nameif insidetrack
 security-level 100
 ip address 192.168.27.254 255.255.255.0
!
interface Ethernet0/2
 nameif WebsiteDMZ
 security-level 1
 ip address 192.168.2.1 255.255.255.0
!
global (outsideworld) 101 199.42.47.59-199.42.47.62 netmask 255.255.255.248
!
static (WebsiteDMZ,outsideworld) tcp 199.42.47.59 www 192.168.2.40 www netmask 255.255.255.255
static (WebsiteDMZ,outsideworld) tcp 199.42.47.59 https 192.168.2.40 https netmask 255.255.255.255
//END CONFIG

Please assist.
KMT
0
Comment
Question by:kmt333
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 17

Assisted Solution

by:surbabu140977
surbabu140977 earned 501 total points
ID: 37832245
You have to nat the inside network to the DMZ network and then create an ACL to permit the traffic from a lower security level to a higher security level.

static(insidetrack,WebsiteDMZ) 192.168.27.0 192.168.27.0 netmask 255.255.255.0
access-list DMZ permit tcp 192.168.2.0 255.255.255.0 192.168.27.0 255.255.255.0 range 1433 1434
access-group DMZ in interface WebsiteDMZ

permit udp too  since I am not sure what SQL uses.

Best,
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 37832299
btw, you need to have security plus feature to use DMZ interface from both inside and outside. Else, only one works.

Best,
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 37832303
(at any given time).
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Assisted Solution

by:ryan80
ryan80 earned 999 total points
ID: 37832491
surbabu, that is not correct with the 5510. The 5505 has that limitation but not on a 5510 and higher.

Also personally I wouldnt NAT the inside to the DMZ, I would leave the IPs as original. I would just apply those access lists, but with some modifications. You can limit it to just those two hosts, and the access list should be applied to the inside interface.

access-list insidetrack_ACL extended permit tcp host 192.168.2.40 host 192.168.27.5 range 1433 1434
access-group insidetrack_ACL in interface insidetrack
0
 
LVL 4

Author Comment

by:kmt333
ID: 38059672
I know it's been a while, but...

I've added the items below:

//NAT RULES//

static (insidetrack,webdmz) tcp 192.168.2.40 1433 192.168.27.5 1433 netmask 255.255.255.255
static (insidetrack,webdmz) tcp 192.168.2.40 1434 192.168.27.5 1434 netmask 255.255.255.255
static (insidetrack,webdmz) tcp 192.168.2.40 64376 192.168.27.5 64376 netmask 255.255.255.255
static (insidetrack,webdmz) tcp 192.168.2.40 64377 192.168.27.5 64377 netmask 255.255.255.255
static (insidetrack,webdmz) udp 192.168.2.40 1434 192.168.27.5 1434 netmask 255.255.255.255

//ACCESS RULES//

access-list webdmz_access_in extended permit ip any any

access-list insidetrack_access_in extended permit ip any any
access-list insidetrack_access_in extended permit tcp host 192.168.2.40 host 192.168.27.5 range 64376 64377
access-list insidetrack_access_in extended permit udp host 192.168.2.40 host 192.168.27.5 1434
access-list insidetrack_access_in extended permit tcp host 192.168.2.40 host 192.168.27.5 range 1433 1434

However, I still get the following error.  It appears to be the webdmz interface that is dropping the connection.  In my brain (which is clearly incorrect), this means that the server at 192.168.2.40 should be able to access the server at 192.168.27.5 on ports 1433 - 1434 and 64376 - 64377.  However, I see the following in the log when I put the router in place with this configuration.

 

//ERROR//

Inbound TCP connection denied from 192.168.2.40/1651 to 192.168.27.5/1434 flags SYN  on interface webdmz

Thanks,
KMT
0
 
LVL 12

Accepted Solution

by:
ryan80 earned 999 total points
ID: 38062342
just to be sure, you also applied the access list to the interface correct?
0
 
LVL 4

Author Comment

by:kmt333
ID: 38299042
hi all, just an update on this: we've gotten Cisco involved.  I will update you as soon as I know more.
0
 
LVL 4

Author Closing Comment

by:kmt333
ID: 38585818
Thanks all,

In the end, the Cisco techs added the following to the config:

static (insidetrack,webdmz) tcp 192.168.27.0 1433 192.168.27.0 1433 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 1434 192.168.27.0 1434 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 64376 192.168.27.0 64376 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 64377 192.168.27.0 64377 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 1433 192.168.27.0 1433 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 1434 192.168.27.0 1434 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 64376 192.168.27.0 64376 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 64377 192.168.27.0 64377 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 domain 192.168.27.0 domain netmask 255.255.255.0

it basically maps the inside interface to the webdmz.  I don'tunderstand it, but it works.
KMT
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question