Port 3306

Unanswered Question

I have pix 515e sitting in front of a webserver that is running linux and mysql. Mysql requires port 3306 be open so in the config on the pix would i just a access-list InboundFilter permit udp 3306

access-list InboundFilter permit tcp 3306

or do i also need to add:

fixup protocol mysql 3306

wich do i need or do i need all 3? Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

First - if you do not have any access lists applied to the inside interface for outbound filtering then you don?t need to do anything as by default everything from a high security interface to a low security interface is allowed out, so your mySQL server will be able to communicate.

But, if you require access to your mySQL server from the outside on TCP port 3306 then you'll need to setup an access list on the outside interface and a static translation for your mySQL server for TCP port 3306.

One question here - are you allowing any outside hosts to be able to connect to your mySQL server on TCP port 3306 or a specific host?

The required configuration for allowing access to your mySQL server on TCP port 3306 is:

In configuration mode:

access-list outside-in permit tcp any host eq 3306

access-group outside-in in interface outside

static (inside,outside) tcp 3306 3306 netmask 255.255.255.255 0 0

I would write out the configuration on a notepad first, copy any outside access list configuration to notepad and edit this with your new requirement - before copying back the edited configuration onto the PIX (in configuration mode), you'll need to add (as the first line of the edited configuration)

no access-list

i.e.

no access-list outside-in

access-list outside-in permit tcp any host eq 3306

--- any other outside interface access lists ----

access-group outside-in in interface outside

Save with - write mem and also issue - clear xlate

Now, if you have a need to give access to a specific host from the outside then all you need to do is amend the access list as:

access-list outside-in permit tcp host host eq 3306

I hope the above helps and if it does please rate posts!

Jay

Actions

This Discussion