Pix getting SQL hits

sherbert08 · ‎03-23-2007

I presently have a 506e pix that has port 1433 open (SQL) and is being hit from an outside source. I want to close it off, but use it internally between another 506e pix from another location (colo to office). Can you please let me know what entries on my pix(s) I need to use to keep open the port 1433 between the two pixes, but block everyone else. Here's my info from the pix:

(PIX A)

ip address outside 66.243.86.213 255.255.255.240

ip address inside 10.0.0.1 255.0.0.0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 66.243.86.209 1

(PIX B)

access-list 101 permit tcp any host 66.243.84.172 eq smtp

access-list 101 permit tcp any host 66.243.84.173 eq 1433

static (inside,outside) 66.243.84.165 SQL2 netmask 255.255.255.255 0 0

access-group 101 in interface outside

access-group acl_inside in interface inside

route outside 0.0.0.0 0.0.0.0 66.243.84.163 1

acomiskey · ‎03-23-2007

Change...

access-list 101 permit tcp any host 66.243.84.173 eq 1433

to this

access-list 101 permit tcp host 66.243.86.213 host 66.243.84.173 eq 1433

This will allow only 66.243.86.213 to access 66.243.84.173 on sql instead of allowing any. I am assuming you have clients inside Pix A whom are nat'ing to outside interface of pix.

sherbert08 · ‎03-23-2007

I do have users inside of Pix A that will need to access the sql port. Will this allow all users on this subnet to get to that box on port 1433, right? Thanks, I am new to this and it's hard making changes on a live firewall.

acomiskey · ‎03-23-2007

As long as those users are nat'ing to the outside address of pix then yes. Do you have something like this in Pix A?

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

sherbert08 · ‎03-23-2007

Yes ... we are doing NATing and this entry is on my config.

thank you .... I will let you know how I make out