Cisco AnyConnect Client Can't Talk to SQL Server

Here's my situation. I have an asa 5505 on 9.1(2) IOS. I've setup the vpn for remote access via anyconnect clients and this works and I get authenticated. I'm than able to resolve dns to the servers within that remote network, I can ping them, I can RDP to them, I can map network drives, and copy data, but I can't connect to them via SQL with a piece of Electronic Medical Billing software I use called (EMds http://www.e-mds.com/)

I have tried the latest version of any connect client available from Cisco (3.1.04066) along with prior versions like 2.5 with no luck. I've tried this on windows xp and windows 7 (different pc's on different networks) and still no luck.

Any help would be greatly appreciated. I'm not sure what to do at this point and need the expert advice.

thanks
lk878787Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

QlemoBatchelor, Developer and EE Topic AdvisorCommented:
You are not imposing any firewalling rules (ACLs) on Cisco ASA for the VPN?

For MSSQL to work you need port 1433/tcp for the unnamed default instance, or else either a fixed port (if set up that way on MSSQL) or 1434/udp (to get the dynamic port) and that port then in the firewall.
You might have an issue with the local firewall on the clients - make sure to have the Windows Firewall disabled, at least for tests.

Sadly, besides doing some network/firewall logging and debugging on client, server and ASA, you won't get the details about why it does not work (if it does not).
0
lk878787Author Commented:
Here is the config from the ASA. the WAN ip's are fake. I'm actually getting a Login Failed now when accessing the wan interface through a web browser (https://67.89.45.67), So I can't even bring up the VPN. Any help would be greatly appreciated.  the sql server and the clients i've tested have their firewalls disabled.

thanks

ClovisASA5505# sh start
ClovisASA5505# sh startup-config
: Saved
: Written by cisco at 05:56:41.937 UTC Sun Oct 13 2013
!
ASA Version 9.1(2)
!
hostname ClovisASA5505
enable password Q5.xk4n2H9znnAYZ encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN_POOL 10.201.201.1-10.201.201.50 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 description LAN
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 description ISP
 mac-address 0026.5af9.689b
 nameif outside
 security-level 0
 ip address 67.89.45.67 255.255.254.0
!
boot system disk0:/asa912-k8.bin
ftp mode passive
object network Local_Network
 subnet 192.168.1.0 255.255.255.0
object network Internet
 host 67.89.45.67
object network vMware_Server
 host 192.168.1.10
object network vmWare_Port_4443_443
 host 192.168.1.10
object network vmWare_Port_222_22
 host 192.168.1.10
object network vmWare_Port_902_902
 host 192.168.1.10
object network eMds_Server
 host 192.168.1.15
object network eMds_Server_3389_3389
 host 192.168.1.15
object network NETWORK_OBJ_10.201.201.0_26
 subnet 10.201.201.0 255.255.255.192
access-list outside_access_in extended permit tcp any object vMware_Server eq 4443
access-list outside_access_in extended permit tcp any object vMware_Server eq 222
access-list outside_access_in extended permit tcp any object vMware_Server eq 902
access-list outside_access_in extended permit tcp any object Internet eq ssh
access-list outside_access_in extended permit tcp any object eMds_Server eq 3389
access-list outside_access_in extended permit tcp any object vMware_Server eq https
access-list outside_access_in extended permit tcp any object vMware_Server eq ssh
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.201.201.0_26 NETWORK_OBJ_10.201.201.0_26 no-proxy-arp route-lookup
!
object network Local_Network
 nat (inside,outside) dynamic interface
object network vmWare_Port_4443_443
 nat (inside,outside) static interface service tcp https 4443
object network vmWare_Port_222_22
 nat (inside,outside) static interface service tcp ssh 222
object network vmWare_Port_902_902
 nat (inside,outside) static interface service tcp 902 902
object network eMds_Server_3389_3389
 nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.66.82.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=67.89.45.67
 keypair CLOVIS_ANYCONNECT
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
 certificate a9665852
    308201e1 3082014a a0030201 020204a9 66585230 0d06092a 864886f7 0d010105
    05003035 31153013 06035504 03130c36 382e3636 2e38322e 32323631 1c301a06
    092a8648 86f70d01 0902160d 436c6f76 69734153 41353530 35301e17 0d313331
    30313330 35353134 395a170d 32333130 31313035 35313439 5a303531 15301306
    03550403 130c3638 2e36362e 38322e32 3236311c 301a0609 2a864886 f70d0109
    02160d43 6c6f7669 73415341 35353035 30819f30 0d06092a 864886f7 0d010101
    05000381 8d003081 89028181 00a9fedc f4d2a8d2 3ca48adf 84610ce9 46e19733
    7176660c 2d3e3fc6 5e75e64d 751be257 661f4422 05b5d8a1 b1ed8938 9f660a11
    f1c05250 2afd15fc 34d3048c bf6d7892 b546309c 9b5e56da 334dfa37 08867ace
    593e2350 a9dc41e0 d1340f49 fb7820cc 118f1331 c5ab275e 6c28782a dbe948a2
    2562c3e3 7f9f3c53 ee6d9d05 31020301 0001300d 06092a86 4886f70d 01010505
    00038181 0003b63d 6698dbb6 f048d32d 3f29f5be e79e7679 c51cb052 556e25af
    e96407c3 a34e1333 37350c92 28f65bfa fae1970f e4ff85c7 8378b8c8 9541d3be
    d8b16277 87dbccb5 aea0f430 1ded5485 d92115c4 911be1e5 1d441073 674ceae7
    fc331e7e c8b87895 2010b89c c1a05d4b a37f1c00 a6fbd9e8 179fec6a df16ce97
    9052101f d4
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 anyconnect profiles CLOVIS_ANYCONNECT_VPN_client_profile disk0:/CLOVIS_ANYCONNECT_VPN_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_CLOVIS_ANYCONNECT_VPN internal
group-policy GroupPolicy_CLOVIS_ANYCONNECT_VPN attributes
 wins-server none
 dns-server value 192.168.1.11
 vpn-tunnel-protocol ikev2 ssl-client
 default-domain none
 webvpn
  anyconnect profiles value CLOVIS_ANYCONNECT_VPN_client_profile type user
username cisco password KIklOnzBzo2pJ/xJ encrypted privilege 15
username clovisvpn password VXlcBBiSE.stdpId encrypted
tunnel-group CLOVIS_ANYCONNECT_VPN type remote-access
tunnel-group CLOVIS_ANYCONNECT_VPN general-attributes
 address-pool VPN_POOL
 default-group-policy GroupPolicy_CLOVIS_ANYCONNECT_VPN
tunnel-group CLOVIS_ANYCONNECT_VPN webvpn-attributes
 group-alias CLOVIS_ANYCONNECT_VPN enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7ec40c4d042a9647ebe52a01d530a90e
ClovisASA5505#

Open in new window

0
lk878787Author Commented:
yeah I wasn't sure where to put this. thanks hopefully some answers soon
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

lk878787Author Commented:
Here is latest situation. I have the VPN anyconnect client connected and can access other resources like pinging the hosts, windows shares, rdp to this sql server. I just can't sql connect from a database program into the 192.168.1.15 server running sql 2008. I have run a
telnet 192.168.1.15 1433

Open in new window

and it looks like it works because it doesn't say timeout but sits there with a blinking cursor.

 here is latest config.

!
ClovisASA5505# sh run
: Saved
:
ASA Version 9.1(2)
!
hostname ClovisASA5505
enable password Q5.xk4n2H9znnAYZ encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN_POOL 10.201.201.1-10.201.201.50 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 description LAN
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 description ISP
 mac-address 0026.5af9.689b
 nameif outside
 security-level 0
 ip address 52.56.11.22 255.255.254.0
!
boot system disk0:/asa912-k8.bin
ftp mode passive
object network Local_Network
 subnet 192.168.1.0 255.255.255.0
object network Internet
 host 52.56.11.22
object network vMware_Server
 host 192.168.1.10
object network vmWare_Port_4443_443
 host 192.168.1.10
object network vmWare_Port_222_22
 host 192.168.1.10
object network vmWare_Port_902_902
 host 192.168.1.10
object network eMds_Server
 host 192.168.1.15
object network eMds_Server_3389_3389
 host 192.168.1.15
object network VPN_Hosts
 subnet 10.201.201.0 255.255.255.0
access-list outside_access_in extended permit tcp any object vMware_Server eq 4443
access-list outside_access_in extended permit tcp any object vMware_Server eq 222
access-list outside_access_in extended permit tcp any object vMware_Server eq 902
access-list outside_access_in extended permit tcp any object Internet eq ssh
access-list outside_access_in extended permit tcp any object eMds_Server eq 3389
access-list outside_access_in extended permit tcp any object vMware_Server eq https
access-list outside_access_in extended permit tcp any object vMware_Server eq ssh
access-list ANYCONNECT_SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Local_Network Local_Network destination static VPN_Hosts VPN_Hosts
!
object network Local_Network
 nat (inside,outside) dynamic interface
object network vmWare_Port_4443_443
 nat (inside,outside) static interface service tcp https 4443
object network vmWare_Port_222_22
 nat (inside,outside) static interface service tcp ssh 222
object network vmWare_Port_902_902
 nat (inside,outside) static interface service tcp 902 902
object network eMds_Server_3389_3389
 nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.66.82.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy Clovis_AnyConnect_Profile internal
group-policy Clovis_AnyConnect_Profile attributes
 dns-server value 192.168.1.11
 vpn-tunnel-protocol l2tp-ipsec ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ANYCONNECT_SPLIT_TUNNEL
 address-pools value VPN_POOL
username cisco password KIklOnzBzo2pJ/xJ encrypted privilege 15
username clovis password VXlcBBiSE.stdpId encrypted
username clovis attributes
 service-type remote-access
tunnel-group Clovis_VPN type remote-access
tunnel-group Clovis_VPN general-attributes
 default-group-policy Clovis_AnyConnect_Profile
tunnel-group Clovis_VPN webvpn-attributes
 group-alias ClovisVPN enable
!
class-map sqlnet
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:61af2857ff8bfb397172c9137c92e1eb
: end
ClovisASA5505#

Open in new window

0
fgasimzadeCommented:
Try removing

inspect sqlnet

conf t
policy-map global_policy
 class inspection_default
no inspect sqlnet
0
lk878787Author Commented:
Nope Same result after removing sqlnet.
0
lk878787Author Commented:
As another update I am able to do remote desktop from the sql server (192.168.1.15) to the anyconnect vpn client (10.201.201.1) just fine, along with pinging the vpn client.

I'm just continuing to have issues getting the sql client application to talk with server. Are there any broadcasts that must go through? What kinds of communication is unique to SQL connections that might be causing this. I'm so baffled on this problem, going on for two days now.

PLEASE HELP!!
0
Marten RuneSQL Expert/Infrastructure ArchitectCommented:
If Telnet worked, you should look at the errorlogfile for the SQL.
http://support.microsoft.com/kb/966659

I bet you've been denied logon, and your client didn't show it.

Regards Marten
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lk878787Author Commented:
This was it. finally found the answer. once I domain joined the client to this other network it worked great. the problem now is that this remote client is joined to another domain so if I create an sql user and login I get these errors. The sql server dns is pointing to the domain controller for DNS.

How could I make an sql login work so I don't have to domain join this client?

10/15/2013 08:52:56,Logon,Unknown,Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: 10.201.201.1]
10/15/2013 08:52:56,Logon,Unknown,Error: 18452<c/> Severity: 14<c/> State: 1.
10/15/2013 08:52:56,Logon,Unknown,SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: 10.201.201.1]
10/15/2013 08:52:56,Logon,Unknown,Error: 17806<c/> Severity: 20<c/> State: 2.
10/15/2013 08:52:49,Logon,Unknown,Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: 10.201.201.1]
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
The SQL user isn't used - you need to provide it in the connection properties of the application. As-is, the connection uses (or forces) Windows Authentication, which will not work outside of the (untrusted) domain, of course.
0
lk878787Author Commented:
Well it's fixed. ALL DONE!! Yur advice was right on Qlemo. thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.