Solved

Cisco ASA 8.2 Enable SQL Services Across Two Subnets

Posted on 2012-04-10
8
637 Views
Last Modified: 2012-11-09
Hello,

I have been forced by unforeseen circumstances to move from a Watchguard to a Cisco ASA 5510 at my client's site.  They have an onsite webserver that has traditionally been on a separate subnet (192.168.2.40) while the SQL server lives on the main LAN (192.168.27.5).

The issue is that I need to allow SQL traffic from 192.168.2.40 (webserver) - 192.168.27.5 (sqlserver).  The only ports I want open are 1433-1434 (all other traffic should be locked down).  The webserver also needs to receive traffic from the outside world on ports 80 and 443, but I have that piece working.

Here are pertinent pieces of the config:

//START CONFIG
!
interface Ethernet0/0
 nameif outsideworld
 security-level 0
 ip address 199.42.47.58 255.255.255.248
!
interface Ethernet0/1
 nameif insidetrack
 security-level 100
 ip address 192.168.27.254 255.255.255.0
!
interface Ethernet0/2
 nameif WebsiteDMZ
 security-level 1
 ip address 192.168.2.1 255.255.255.0
!
global (outsideworld) 101 199.42.47.59-199.42.47.62 netmask 255.255.255.248
!
static (WebsiteDMZ,outsideworld) tcp 199.42.47.59 www 192.168.2.40 www netmask 255.255.255.255
static (WebsiteDMZ,outsideworld) tcp 199.42.47.59 https 192.168.2.40 https netmask 255.255.255.255
//END CONFIG

Please assist.
KMT
0
Comment
Question by:kmt333
  • 3
  • 3
  • 2
8 Comments
 
LVL 17

Assisted Solution

by:surbabu140977
surbabu140977 earned 167 total points
ID: 37832245
You have to nat the inside network to the DMZ network and then create an ACL to permit the traffic from a lower security level to a higher security level.

static(insidetrack,WebsiteDMZ) 192.168.27.0 192.168.27.0 netmask 255.255.255.0
access-list DMZ permit tcp 192.168.2.0 255.255.255.0 192.168.27.0 255.255.255.0 range 1433 1434
access-group DMZ in interface WebsiteDMZ

permit udp too  since I am not sure what SQL uses.

Best,
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 37832299
btw, you need to have security plus feature to use DMZ interface from both inside and outside. Else, only one works.

Best,
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 37832303
(at any given time).
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 12

Assisted Solution

by:ryan80
ryan80 earned 333 total points
ID: 37832491
surbabu, that is not correct with the 5510. The 5505 has that limitation but not on a 5510 and higher.

Also personally I wouldnt NAT the inside to the DMZ, I would leave the IPs as original. I would just apply those access lists, but with some modifications. You can limit it to just those two hosts, and the access list should be applied to the inside interface.

access-list insidetrack_ACL extended permit tcp host 192.168.2.40 host 192.168.27.5 range 1433 1434
access-group insidetrack_ACL in interface insidetrack
0
 
LVL 4

Author Comment

by:kmt333
ID: 38059672
I know it's been a while, but...

I've added the items below:

//NAT RULES//

static (insidetrack,webdmz) tcp 192.168.2.40 1433 192.168.27.5 1433 netmask 255.255.255.255
static (insidetrack,webdmz) tcp 192.168.2.40 1434 192.168.27.5 1434 netmask 255.255.255.255
static (insidetrack,webdmz) tcp 192.168.2.40 64376 192.168.27.5 64376 netmask 255.255.255.255
static (insidetrack,webdmz) tcp 192.168.2.40 64377 192.168.27.5 64377 netmask 255.255.255.255
static (insidetrack,webdmz) udp 192.168.2.40 1434 192.168.27.5 1434 netmask 255.255.255.255

//ACCESS RULES//

access-list webdmz_access_in extended permit ip any any

access-list insidetrack_access_in extended permit ip any any
access-list insidetrack_access_in extended permit tcp host 192.168.2.40 host 192.168.27.5 range 64376 64377
access-list insidetrack_access_in extended permit udp host 192.168.2.40 host 192.168.27.5 1434
access-list insidetrack_access_in extended permit tcp host 192.168.2.40 host 192.168.27.5 range 1433 1434

However, I still get the following error.  It appears to be the webdmz interface that is dropping the connection.  In my brain (which is clearly incorrect), this means that the server at 192.168.2.40 should be able to access the server at 192.168.27.5 on ports 1433 - 1434 and 64376 - 64377.  However, I see the following in the log when I put the router in place with this configuration.

 

//ERROR//

Inbound TCP connection denied from 192.168.2.40/1651 to 192.168.27.5/1434 flags SYN  on interface webdmz

Thanks,
KMT
0
 
LVL 12

Accepted Solution

by:
ryan80 earned 333 total points
ID: 38062342
just to be sure, you also applied the access list to the interface correct?
0
 
LVL 4

Author Comment

by:kmt333
ID: 38299042
hi all, just an update on this: we've gotten Cisco involved.  I will update you as soon as I know more.
0
 
LVL 4

Author Closing Comment

by:kmt333
ID: 38585818
Thanks all,

In the end, the Cisco techs added the following to the config:

static (insidetrack,webdmz) tcp 192.168.27.0 1433 192.168.27.0 1433 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 1434 192.168.27.0 1434 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 64376 192.168.27.0 64376 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 64377 192.168.27.0 64377 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 1433 192.168.27.0 1433 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 1434 192.168.27.0 1434 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 64376 192.168.27.0 64376 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 64377 192.168.27.0 64377 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 domain 192.168.27.0 domain netmask 255.255.255.0

it basically maps the inside interface to the webdmz.  I don'tunderstand it, but it works.
KMT
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question