lk878787
asked on
Cisco AnyConnect Client Can't Talk to SQL Server
Here's my situation. I have an asa 5505 on 9.1(2) IOS. I've setup the vpn for remote access via anyconnect clients and this works and I get authenticated. I'm than able to resolve dns to the servers within that remote network, I can ping them, I can RDP to them, I can map network drives, and copy data, but I can't connect to them via SQL with a piece of Electronic Medical Billing software I use called (EMds http://www.e-mds.com/)
I have tried the latest version of any connect client available from Cisco (3.1.04066) along with prior versions like 2.5 with no luck. I've tried this on windows xp and windows 7 (different pc's on different networks) and still no luck.
Any help would be greatly appreciated. I'm not sure what to do at this point and need the expert advice.
thanks
I have tried the latest version of any connect client available from Cisco (3.1.04066) along with prior versions like 2.5 with no luck. I've tried this on windows xp and windows 7 (different pc's on different networks) and still no luck.
Any help would be greatly appreciated. I'm not sure what to do at this point and need the expert advice.
thanks
ASKER
Here is the config from the ASA. the WAN ip's are fake. I'm actually getting a Login Failed now when accessing the wan interface through a web browser (https://67.89.45.67), So I can't even bring up the VPN. Any help would be greatly appreciated. the sql server and the clients i've tested have their firewalls disabled.
thanks
thanks
ClovisASA5505# sh start
ClovisASA5505# sh startup-config
: Saved
: Written by cisco at 05:56:41.937 UTC Sun Oct 13 2013
!
ASA Version 9.1(2)
!
hostname ClovisASA5505
enable password Q5.xk4n2H9znnAYZ encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN_POOL 10.201.201.1-10.201.201.50 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description LAN
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description ISP
mac-address 0026.5af9.689b
nameif outside
security-level 0
ip address 67.89.45.67 255.255.254.0
!
boot system disk0:/asa912-k8.bin
ftp mode passive
object network Local_Network
subnet 192.168.1.0 255.255.255.0
object network Internet
host 67.89.45.67
object network vMware_Server
host 192.168.1.10
object network vmWare_Port_4443_443
host 192.168.1.10
object network vmWare_Port_222_22
host 192.168.1.10
object network vmWare_Port_902_902
host 192.168.1.10
object network eMds_Server
host 192.168.1.15
object network eMds_Server_3389_3389
host 192.168.1.15
object network NETWORK_OBJ_10.201.201.0_26
subnet 10.201.201.0 255.255.255.192
access-list outside_access_in extended permit tcp any object vMware_Server eq 4443
access-list outside_access_in extended permit tcp any object vMware_Server eq 222
access-list outside_access_in extended permit tcp any object vMware_Server eq 902
access-list outside_access_in extended permit tcp any object Internet eq ssh
access-list outside_access_in extended permit tcp any object eMds_Server eq 3389
access-list outside_access_in extended permit tcp any object vMware_Server eq https
access-list outside_access_in extended permit tcp any object vMware_Server eq ssh
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.201.201.0_26 NETWORK_OBJ_10.201.201.0_26 no-proxy-arp route-lookup
!
object network Local_Network
nat (inside,outside) dynamic interface
object network vmWare_Port_4443_443
nat (inside,outside) static interface service tcp https 4443
object network vmWare_Port_222_22
nat (inside,outside) static interface service tcp ssh 222
object network vmWare_Port_902_902
nat (inside,outside) static interface service tcp 902 902
object network eMds_Server_3389_3389
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.66.82.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=67.89.45.67
keypair CLOVIS_ANYCONNECT
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate a9665852
308201e1 3082014a a0030201 020204a9 66585230 0d06092a 864886f7 0d010105
05003035 31153013 06035504 03130c36 382e3636 2e38322e 32323631 1c301a06
092a8648 86f70d01 0902160d 436c6f76 69734153 41353530 35301e17 0d313331
30313330 35353134 395a170d 32333130 31313035 35313439 5a303531 15301306
03550403 130c3638 2e36362e 38322e32 3236311c 301a0609 2a864886 f70d0109
02160d43 6c6f7669 73415341 35353035 30819f30 0d06092a 864886f7 0d010101
05000381 8d003081 89028181 00a9fedc f4d2a8d2 3ca48adf 84610ce9 46e19733
7176660c 2d3e3fc6 5e75e64d 751be257 661f4422 05b5d8a1 b1ed8938 9f660a11
f1c05250 2afd15fc 34d3048c bf6d7892 b546309c 9b5e56da 334dfa37 08867ace
593e2350 a9dc41e0 d1340f49 fb7820cc 118f1331 c5ab275e 6c28782a dbe948a2
2562c3e3 7f9f3c53 ee6d9d05 31020301 0001300d 06092a86 4886f70d 01010505
00038181 0003b63d 6698dbb6 f048d32d 3f29f5be e79e7679 c51cb052 556e25af
e96407c3 a34e1333 37350c92 28f65bfa fae1970f e4ff85c7 8378b8c8 9541d3be
d8b16277 87dbccb5 aea0f430 1ded5485 d92115c4 911be1e5 1d441073 674ceae7
fc331e7e c8b87895 2010b89c c1a05d4b a37f1c00 a6fbd9e8 179fec6a df16ce97
9052101f d4
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect profiles CLOVIS_ANYCONNECT_VPN_client_profile disk0:/CLOVIS_ANYCONNECT_VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_CLOVIS_ANYCONNECT_VPN internal
group-policy GroupPolicy_CLOVIS_ANYCONNECT_VPN attributes
wins-server none
dns-server value 192.168.1.11
vpn-tunnel-protocol ikev2 ssl-client
default-domain none
webvpn
anyconnect profiles value CLOVIS_ANYCONNECT_VPN_client_profile type user
username cisco password KIklOnzBzo2pJ/xJ encrypted privilege 15
username clovisvpn password VXlcBBiSE.stdpId encrypted
tunnel-group CLOVIS_ANYCONNECT_VPN type remote-access
tunnel-group CLOVIS_ANYCONNECT_VPN general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_CLOVIS_ANYCONNECT_VPN
tunnel-group CLOVIS_ANYCONNECT_VPN webvpn-attributes
group-alias CLOVIS_ANYCONNECT_VPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7ec40c4d042a9647ebe52a01d530a90e
ClovisASA5505#
ASKER
yeah I wasn't sure where to put this. thanks hopefully some answers soon
ASKER
Here is latest situation. I have the VPN anyconnect client connected and can access other resources like pinging the hosts, windows shares, rdp to this sql server. I just can't sql connect from a database program into the 192.168.1.15 server running sql 2008. I have run a
here is latest config.
telnet 192.168.1.15 1433
and it looks like it works because it doesn't say timeout but sits there with a blinking cursor.here is latest config.
!
ClovisASA5505# sh run
: Saved
:
ASA Version 9.1(2)
!
hostname ClovisASA5505
enable password Q5.xk4n2H9znnAYZ encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN_POOL 10.201.201.1-10.201.201.50 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description LAN
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description ISP
mac-address 0026.5af9.689b
nameif outside
security-level 0
ip address 52.56.11.22 255.255.254.0
!
boot system disk0:/asa912-k8.bin
ftp mode passive
object network Local_Network
subnet 192.168.1.0 255.255.255.0
object network Internet
host 52.56.11.22
object network vMware_Server
host 192.168.1.10
object network vmWare_Port_4443_443
host 192.168.1.10
object network vmWare_Port_222_22
host 192.168.1.10
object network vmWare_Port_902_902
host 192.168.1.10
object network eMds_Server
host 192.168.1.15
object network eMds_Server_3389_3389
host 192.168.1.15
object network VPN_Hosts
subnet 10.201.201.0 255.255.255.0
access-list outside_access_in extended permit tcp any object vMware_Server eq 4443
access-list outside_access_in extended permit tcp any object vMware_Server eq 222
access-list outside_access_in extended permit tcp any object vMware_Server eq 902
access-list outside_access_in extended permit tcp any object Internet eq ssh
access-list outside_access_in extended permit tcp any object eMds_Server eq 3389
access-list outside_access_in extended permit tcp any object vMware_Server eq https
access-list outside_access_in extended permit tcp any object vMware_Server eq ssh
access-list ANYCONNECT_SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Local_Network Local_Network destination static VPN_Hosts VPN_Hosts
!
object network Local_Network
nat (inside,outside) dynamic interface
object network vmWare_Port_4443_443
nat (inside,outside) static interface service tcp https 4443
object network vmWare_Port_222_22
nat (inside,outside) static interface service tcp ssh 222
object network vmWare_Port_902_902
nat (inside,outside) static interface service tcp 902 902
object network eMds_Server_3389_3389
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.66.82.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy Clovis_AnyConnect_Profile internal
group-policy Clovis_AnyConnect_Profile attributes
dns-server value 192.168.1.11
vpn-tunnel-protocol l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ANYCONNECT_SPLIT_TUNNEL
address-pools value VPN_POOL
username cisco password KIklOnzBzo2pJ/xJ encrypted privilege 15
username clovis password VXlcBBiSE.stdpId encrypted
username clovis attributes
service-type remote-access
tunnel-group Clovis_VPN type remote-access
tunnel-group Clovis_VPN general-attributes
default-group-policy Clovis_AnyConnect_Profile
tunnel-group Clovis_VPN webvpn-attributes
group-alias ClovisVPN enable
!
class-map sqlnet
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:61af2857ff8bfb397172c9137c92e1eb
: end
ClovisASA5505#
Try removing
inspect sqlnet
conf t
policy-map global_policy
class inspection_default
no inspect sqlnet
inspect sqlnet
conf t
policy-map global_policy
class inspection_default
no inspect sqlnet
ASKER
Nope Same result after removing sqlnet.
ASKER
As another update I am able to do remote desktop from the sql server (192.168.1.15) to the anyconnect vpn client (10.201.201.1) just fine, along with pinging the vpn client.
I'm just continuing to have issues getting the sql client application to talk with server. Are there any broadcasts that must go through? What kinds of communication is unique to SQL connections that might be causing this. I'm so baffled on this problem, going on for two days now.
PLEASE HELP!!
I'm just continuing to have issues getting the sql client application to talk with server. Are there any broadcasts that must go through? What kinds of communication is unique to SQL connections that might be causing this. I'm so baffled on this problem, going on for two days now.
PLEASE HELP!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This was it. finally found the answer. once I domain joined the client to this other network it worked great. the problem now is that this remote client is joined to another domain so if I create an sql user and login I get these errors. The sql server dns is pointing to the domain controller for DNS.
How could I make an sql login work so I don't have to domain join this client?
10/15/2013 08:52:56,Logon,Unknown,Log in failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: 10.201.201.1]
10/15/2013 08:52:56,Logon,Unknown,Err or: 18452<c/> Severity: 14<c/> State: 1.
10/15/2013 08:52:56,Logon,Unknown,SSP I handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: 10.201.201.1]
10/15/2013 08:52:56,Logon,Unknown,Err or: 17806<c/> Severity: 20<c/> State: 2.
10/15/2013 08:52:49,Logon,Unknown,Log in failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: 10.201.201.1]
How could I make an sql login work so I don't have to domain join this client?
10/15/2013 08:52:56,Logon,Unknown,Log
10/15/2013 08:52:56,Logon,Unknown,Err
10/15/2013 08:52:56,Logon,Unknown,SSP
10/15/2013 08:52:56,Logon,Unknown,Err
10/15/2013 08:52:49,Logon,Unknown,Log
The SQL user isn't used - you need to provide it in the connection properties of the application. As-is, the connection uses (or forces) Windows Authentication, which will not work outside of the (untrusted) domain, of course.
ASKER
Well it's fixed. ALL DONE!! Yur advice was right on Qlemo. thanks
For MSSQL to work you need port 1433/tcp for the unnamed default instance, or else either a fixed port (if set up that way on MSSQL) or 1434/udp (to get the dynamic port) and that port then in the firewall.
You might have an issue with the local firewall on the clients - make sure to have the Windows Firewall disabled, at least for tests.
Sadly, besides doing some network/firewall logging and debugging on client, server and ASA, you won't get the details about why it does not work (if it does not).