lk878787
asked on
Cisco AnyConnect Client Can't Talk to SQL Server
Here's my situation. I have an asa 5505 on 9.1(2) IOS. I've setup the vpn for remote access via anyconnect clients and this works and I get authenticated. I'm than able to resolve dns to the servers within that remote network, I can ping them, I can RDP to them, I can map network drives, and copy data, but I can't connect to them via SQL with a piece of Electronic Medical Billing software I use called (EMds http://www.e-mds.com/) I can also communicate from the sql server to my vpn client via icmp and rdp.
I have tried the latest version of any connect client available from Cisco (3.1.04066) along with prior versions like 2.5 with no luck. I've tried this on windows xp and windows 7 (different pc's on different networks) and still no luck. These are fake WAN ip's. You can see I've started on a PPTP method so ignore this unless you think it's in the way.
Any help would be greatly appreciated. I'm not sure what to do at this point and need the expert advice. screenshot attached of error.
Here's my config
I have tried the latest version of any connect client available from Cisco (3.1.04066) along with prior versions like 2.5 with no luck. I've tried this on windows xp and windows 7 (different pc's on different networks) and still no luck. These are fake WAN ip's. You can see I've started on a PPTP method so ignore this unless you think it's in the way.
Any help would be greatly appreciated. I'm not sure what to do at this point and need the expert advice. screenshot attached of error.
Here's my config
ClovisASA5505# sh run
: Saved
:
ASA Version 9.1(2)
!
hostname ClovisASA5505
enable password Q5.xk4n2H9znnAYZ encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN_POOL 10.201.201.1-10.201.201.50 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description LAN
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description ISP
mac-address 0026.5af9.689b
nameif outside
security-level 0
ip address 52.56.11.22 255.255.254.0
!
boot system disk0:/asa912-k8.bin
ftp mode passive
object network Local_Network
subnet 192.168.1.0 255.255.255.0
object network Internet
host 52.56.11.22
object network vMware_Server
host 192.168.1.10
object network vmWare_Port_4443_443
host 192.168.1.10
object network vmWare_Port_222_22
host 192.168.1.10
object network vmWare_Port_902_902
host 192.168.1.10
object network eMds_Server
host 192.168.1.15
object network eMds_Server_3389_3389
host 192.168.1.15
object network VPN_Hosts
subnet 10.201.201.0 255.255.255.0
object network Domain_Controller
host 192.168.1.11
access-list outside_access_in extended permit tcp any object vMware_Server eq 4443
access-list outside_access_in extended permit tcp any object vMware_Server eq 222
access-list outside_access_in extended permit tcp any object vMware_Server eq 902
access-list outside_access_in extended permit tcp any object Internet eq ssh
access-list outside_access_in extended permit tcp any object eMds_Server eq 3389
access-list outside_access_in extended permit tcp any object vMware_Server eq https
access-list outside_access_in extended permit tcp any object vMware_Server eq ssh
access-list outside_access_in extended permit gre any object Domain_Controller
access-list outside_access_in extended permit tcp any object Domain_Controller eq pptp
access-list ANYCONNECT_SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Local_Network Local_Network destination static VPN_Hosts VPN_Hosts
!
object network Local_Network
nat (inside,outside) dynamic interface
object network vmWare_Port_4443_443
nat (inside,outside) static interface service tcp https 4443
object network vmWare_Port_222_22
nat (inside,outside) static interface service tcp ssh 222
object network vmWare_Port_902_902
nat (inside,outside) static interface service tcp 902 902
object network eMds_Server_3389_3389
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.66.82.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy Clovis_AnyConnect_Profile internal
group-policy Clovis_AnyConnect_Profile attributes
dns-server value 192.168.1.11
vpn-tunnel-protocol l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ANYCONNECT_SPLIT_TUNNEL
default-domain value CFHC.LOCAL
address-pools value VPN_POOL
webvpn
anyconnect ssl keepalive 20
anyconnect dpd-interval client 30
username cisco password KIklOnzBzo2pJ/xJ encrypted privilege 15
username clovis password VXlcBBiSE.stdpId encrypted
username clovis attributes
service-type remote-access
tunnel-group Clovis_VPN type remote-access
tunnel-group Clovis_VPN general-attributes
default-group-policy Clovis_AnyConnect_Profile
tunnel-group Clovis_VPN webvpn-attributes
group-alias ClovisVPN enable
!
class-map inspection_default
match default-inspection-traffic
class-map mssql
match port tcp eq 1433
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:45c930d4b4d23a1bb152013aedef140d
: end
ClovisASA5505#
Untitled.png
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I had another person give me guidance for the same question. so I'm using his advice here.
Are you sure the SQL Server service is running on port 1433?
If the SQL Server service isn't running on the default port you'll probably need the SQL Server Browser service. The service listens to UDP port 1434. I don't see a rule in your config for this service.
You can also try to adjust the connectionstring of the application to something like this:
SQLSERVER,PORTNUMBER
To find the port number use the SQL Server Configuration Manager. Expand the SQL Server Network Configuration and select Protocols for MSSQLSERVER (default instance). In the right hand pane you’ll see protocols (Shared Memory, Named Pipes, TCP/IP, VIA). Double click on TCP/IP the properties dialog box will appear. Select the IP Addresses tab you will now see your IP addresses and which TCP port they are running under.