Pix getting SQL hits

Unanswered Question
Mar 23rd, 2007
User Badges:

I presently have a 506e pix that has port 1433 open (SQL) and is being hit from an outside source. I want to close it off, but use it internally between another 506e pix from another location (colo to office). Can you please let me know what entries on my pix(s) I need to use to keep open the port 1433 between the two pixes, but block everyone else. Here's my info from the pix:


(PIX A)

ip address outside 66.243.86.213 255.255.255.240

ip address inside 10.0.0.1 255.0.0.0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 66.243.86.209 1



(PIX B)

access-list 101 permit tcp any host 66.243.84.172 eq smtp

access-list 101 permit tcp any host 66.243.84.173 eq 1433

static (inside,outside) 66.243.84.165 SQL2 netmask 255.255.255.255 0 0

access-group 101 in interface outside

access-group acl_inside in interface inside

route outside 0.0.0.0 0.0.0.0 66.243.84.163 1


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Fri, 03/23/2007 - 13:02
User Badges:
  • Green, 3000 points or more

Change...


access-list 101 permit tcp any host 66.243.84.173 eq 1433


to this


access-list 101 permit tcp host 66.243.86.213 host 66.243.84.173 eq 1433


This will allow only 66.243.86.213 to access 66.243.84.173 on sql instead of allowing any. I am assuming you have clients inside Pix A whom are nat'ing to outside interface of pix.

sherbert08 Fri, 03/23/2007 - 13:21
User Badges:

I do have users inside of Pix A that will need to access the sql port. Will this allow all users on this subnet to get to that box on port 1433, right? Thanks, I am new to this and it's hard making changes on a live firewall.

acomiskey Fri, 03/23/2007 - 13:33
User Badges:
  • Green, 3000 points or more

As long as those users are nat'ing to the outside address of pix then yes. Do you have something like this in Pix A?


global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

sherbert08 Fri, 03/23/2007 - 13:54
User Badges:

Yes ... we are doing NATing and this entry is on my config.


thank you .... I will let you know how I make out

Actions

This Discussion