Solved

Cisco ASA 8.2 Enable SQL Services Across Two Subnets

Posted on 2012-04-10
8
639 Views
Last Modified: 2012-11-09
Hello,

I have been forced by unforeseen circumstances to move from a Watchguard to a Cisco ASA 5510 at my client's site.  They have an onsite webserver that has traditionally been on a separate subnet (192.168.2.40) while the SQL server lives on the main LAN (192.168.27.5).

The issue is that I need to allow SQL traffic from 192.168.2.40 (webserver) - 192.168.27.5 (sqlserver).  The only ports I want open are 1433-1434 (all other traffic should be locked down).  The webserver also needs to receive traffic from the outside world on ports 80 and 443, but I have that piece working.

Here are pertinent pieces of the config:

//START CONFIG
!
interface Ethernet0/0
 nameif outsideworld
 security-level 0
 ip address 199.42.47.58 255.255.255.248
!
interface Ethernet0/1
 nameif insidetrack
 security-level 100
 ip address 192.168.27.254 255.255.255.0
!
interface Ethernet0/2
 nameif WebsiteDMZ
 security-level 1
 ip address 192.168.2.1 255.255.255.0
!
global (outsideworld) 101 199.42.47.59-199.42.47.62 netmask 255.255.255.248
!
static (WebsiteDMZ,outsideworld) tcp 199.42.47.59 www 192.168.2.40 www netmask 255.255.255.255
static (WebsiteDMZ,outsideworld) tcp 199.42.47.59 https 192.168.2.40 https netmask 255.255.255.255
//END CONFIG

Please assist.
KMT
0
Comment
Question by:kmt333
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 17

Assisted Solution

by:surbabu140977
surbabu140977 earned 167 total points
ID: 37832245
You have to nat the inside network to the DMZ network and then create an ACL to permit the traffic from a lower security level to a higher security level.

static(insidetrack,WebsiteDMZ) 192.168.27.0 192.168.27.0 netmask 255.255.255.0
access-list DMZ permit tcp 192.168.2.0 255.255.255.0 192.168.27.0 255.255.255.0 range 1433 1434
access-group DMZ in interface WebsiteDMZ

permit udp too  since I am not sure what SQL uses.

Best,
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 37832299
btw, you need to have security plus feature to use DMZ interface from both inside and outside. Else, only one works.

Best,
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 37832303
(at any given time).
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 12

Assisted Solution

by:ryan80
ryan80 earned 333 total points
ID: 37832491
surbabu, that is not correct with the 5510. The 5505 has that limitation but not on a 5510 and higher.

Also personally I wouldnt NAT the inside to the DMZ, I would leave the IPs as original. I would just apply those access lists, but with some modifications. You can limit it to just those two hosts, and the access list should be applied to the inside interface.

access-list insidetrack_ACL extended permit tcp host 192.168.2.40 host 192.168.27.5 range 1433 1434
access-group insidetrack_ACL in interface insidetrack
0
 
LVL 4

Author Comment

by:kmt333
ID: 38059672
I know it's been a while, but...

I've added the items below:

//NAT RULES//

static (insidetrack,webdmz) tcp 192.168.2.40 1433 192.168.27.5 1433 netmask 255.255.255.255
static (insidetrack,webdmz) tcp 192.168.2.40 1434 192.168.27.5 1434 netmask 255.255.255.255
static (insidetrack,webdmz) tcp 192.168.2.40 64376 192.168.27.5 64376 netmask 255.255.255.255
static (insidetrack,webdmz) tcp 192.168.2.40 64377 192.168.27.5 64377 netmask 255.255.255.255
static (insidetrack,webdmz) udp 192.168.2.40 1434 192.168.27.5 1434 netmask 255.255.255.255

//ACCESS RULES//

access-list webdmz_access_in extended permit ip any any

access-list insidetrack_access_in extended permit ip any any
access-list insidetrack_access_in extended permit tcp host 192.168.2.40 host 192.168.27.5 range 64376 64377
access-list insidetrack_access_in extended permit udp host 192.168.2.40 host 192.168.27.5 1434
access-list insidetrack_access_in extended permit tcp host 192.168.2.40 host 192.168.27.5 range 1433 1434

However, I still get the following error.  It appears to be the webdmz interface that is dropping the connection.  In my brain (which is clearly incorrect), this means that the server at 192.168.2.40 should be able to access the server at 192.168.27.5 on ports 1433 - 1434 and 64376 - 64377.  However, I see the following in the log when I put the router in place with this configuration.

 

//ERROR//

Inbound TCP connection denied from 192.168.2.40/1651 to 192.168.27.5/1434 flags SYN  on interface webdmz

Thanks,
KMT
0
 
LVL 12

Accepted Solution

by:
ryan80 earned 333 total points
ID: 38062342
just to be sure, you also applied the access list to the interface correct?
0
 
LVL 4

Author Comment

by:kmt333
ID: 38299042
hi all, just an update on this: we've gotten Cisco involved.  I will update you as soon as I know more.
0
 
LVL 4

Author Closing Comment

by:kmt333
ID: 38585818
Thanks all,

In the end, the Cisco techs added the following to the config:

static (insidetrack,webdmz) tcp 192.168.27.0 1433 192.168.27.0 1433 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 1434 192.168.27.0 1434 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 64376 192.168.27.0 64376 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 64377 192.168.27.0 64377 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 1433 192.168.27.0 1433 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 1434 192.168.27.0 1434 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 64376 192.168.27.0 64376 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 64377 192.168.27.0 64377 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 domain 192.168.27.0 domain netmask 255.255.255.0

it basically maps the inside interface to the webdmz.  I don'tunderstand it, but it works.
KMT
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question