03-23-2007 12:29 PM - edited 03-05-2019 03:04 PM
I presently have a 506e pix that has port 1433 open (SQL) and is being hit from an outside source. I want to close it off, but use it internally between another 506e pix from another location (colo to office). Can you please let me know what entries on my pix(s) I need to use to keep open the port 1433 between the two pixes, but block everyone else. Here's my info from the pix:
(PIX A)
ip address outside 66.243.86.213 255.255.255.240
ip address inside 10.0.0.1 255.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 66.243.86.209 1
(PIX B)
access-list 101 permit tcp any host 66.243.84.172 eq smtp
access-list 101 permit tcp any host 66.243.84.173 eq 1433
static (inside,outside) 66.243.84.165 SQL2 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 66.243.84.163 1
03-23-2007 01:02 PM
Change...
access-list 101 permit tcp any host 66.243.84.173 eq 1433
to this
access-list 101 permit tcp host 66.243.86.213 host 66.243.84.173 eq 1433
This will allow only 66.243.86.213 to access 66.243.84.173 on sql instead of allowing any. I am assuming you have clients inside Pix A whom are nat'ing to outside interface of pix.
03-23-2007 01:21 PM
I do have users inside of Pix A that will need to access the sql port. Will this allow all users on this subnet to get to that box on port 1433, right? Thanks, I am new to this and it's hard making changes on a live firewall.
03-23-2007 01:33 PM
As long as those users are nat'ing to the outside address of pix then yes. Do you have something like this in Pix A?
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
03-23-2007 01:54 PM
Yes ... we are doing NATing and this entry is on my config.
thank you .... I will let you know how I make out
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide