Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 657
  • Last Modified:

Cisco ASA 8.2 Enable SQL Services Across Two Subnets

Hello,

I have been forced by unforeseen circumstances to move from a Watchguard to a Cisco ASA 5510 at my client's site.  They have an onsite webserver that has traditionally been on a separate subnet (192.168.2.40) while the SQL server lives on the main LAN (192.168.27.5).

The issue is that I need to allow SQL traffic from 192.168.2.40 (webserver) - 192.168.27.5 (sqlserver).  The only ports I want open are 1433-1434 (all other traffic should be locked down).  The webserver also needs to receive traffic from the outside world on ports 80 and 443, but I have that piece working.

Here are pertinent pieces of the config:

//START CONFIG
!
interface Ethernet0/0
 nameif outsideworld
 security-level 0
 ip address 199.42.47.58 255.255.255.248
!
interface Ethernet0/1
 nameif insidetrack
 security-level 100
 ip address 192.168.27.254 255.255.255.0
!
interface Ethernet0/2
 nameif WebsiteDMZ
 security-level 1
 ip address 192.168.2.1 255.255.255.0
!
global (outsideworld) 101 199.42.47.59-199.42.47.62 netmask 255.255.255.248
!
static (WebsiteDMZ,outsideworld) tcp 199.42.47.59 www 192.168.2.40 www netmask 255.255.255.255
static (WebsiteDMZ,outsideworld) tcp 199.42.47.59 https 192.168.2.40 https netmask 255.255.255.255
//END CONFIG

Please assist.
KMT
0
kmt333
Asked:
kmt333
  • 3
  • 3
  • 2
3 Solutions
 
surbabu140977Commented:
You have to nat the inside network to the DMZ network and then create an ACL to permit the traffic from a lower security level to a higher security level.

static(insidetrack,WebsiteDMZ) 192.168.27.0 192.168.27.0 netmask 255.255.255.0
access-list DMZ permit tcp 192.168.2.0 255.255.255.0 192.168.27.0 255.255.255.0 range 1433 1434
access-group DMZ in interface WebsiteDMZ

permit udp too  since I am not sure what SQL uses.

Best,
0
 
surbabu140977Commented:
btw, you need to have security plus feature to use DMZ interface from both inside and outside. Else, only one works.

Best,
0
 
surbabu140977Commented:
(at any given time).
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
ryan80Commented:
surbabu, that is not correct with the 5510. The 5505 has that limitation but not on a 5510 and higher.

Also personally I wouldnt NAT the inside to the DMZ, I would leave the IPs as original. I would just apply those access lists, but with some modifications. You can limit it to just those two hosts, and the access list should be applied to the inside interface.

access-list insidetrack_ACL extended permit tcp host 192.168.2.40 host 192.168.27.5 range 1433 1434
access-group insidetrack_ACL in interface insidetrack
0
 
kmt333Author Commented:
I know it's been a while, but...

I've added the items below:

//NAT RULES//

static (insidetrack,webdmz) tcp 192.168.2.40 1433 192.168.27.5 1433 netmask 255.255.255.255
static (insidetrack,webdmz) tcp 192.168.2.40 1434 192.168.27.5 1434 netmask 255.255.255.255
static (insidetrack,webdmz) tcp 192.168.2.40 64376 192.168.27.5 64376 netmask 255.255.255.255
static (insidetrack,webdmz) tcp 192.168.2.40 64377 192.168.27.5 64377 netmask 255.255.255.255
static (insidetrack,webdmz) udp 192.168.2.40 1434 192.168.27.5 1434 netmask 255.255.255.255

//ACCESS RULES//

access-list webdmz_access_in extended permit ip any any

access-list insidetrack_access_in extended permit ip any any
access-list insidetrack_access_in extended permit tcp host 192.168.2.40 host 192.168.27.5 range 64376 64377
access-list insidetrack_access_in extended permit udp host 192.168.2.40 host 192.168.27.5 1434
access-list insidetrack_access_in extended permit tcp host 192.168.2.40 host 192.168.27.5 range 1433 1434

However, I still get the following error.  It appears to be the webdmz interface that is dropping the connection.  In my brain (which is clearly incorrect), this means that the server at 192.168.2.40 should be able to access the server at 192.168.27.5 on ports 1433 - 1434 and 64376 - 64377.  However, I see the following in the log when I put the router in place with this configuration.

 

//ERROR//

Inbound TCP connection denied from 192.168.2.40/1651 to 192.168.27.5/1434 flags SYN  on interface webdmz

Thanks,
KMT
0
 
ryan80Commented:
just to be sure, you also applied the access list to the interface correct?
0
 
kmt333Author Commented:
hi all, just an update on this: we've gotten Cisco involved.  I will update you as soon as I know more.
0
 
kmt333Author Commented:
Thanks all,

In the end, the Cisco techs added the following to the config:

static (insidetrack,webdmz) tcp 192.168.27.0 1433 192.168.27.0 1433 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 1434 192.168.27.0 1434 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 64376 192.168.27.0 64376 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 64377 192.168.27.0 64377 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 1433 192.168.27.0 1433 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 1434 192.168.27.0 1434 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 64376 192.168.27.0 64376 netmask 255.255.255.0
static (insidetrack,webdmz) udp 192.168.27.0 64377 192.168.27.0 64377 netmask 255.255.255.0
static (insidetrack,webdmz) tcp 192.168.27.0 domain 192.168.27.0 domain netmask 255.255.255.0

it basically maps the inside interface to the webdmz.  I don'tunderstand it, but it works.
KMT
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now