506e needing to close port 1433

Answered Question
May 31st, 2007

I am the most experience techy here but am admittedly out of my element here with setting the 506e to block port 1433. The SQL server is getting hits from outside. Can someone step me through this?

Do I:

1. create a Access Rule

2. select deny

3. Source Interface: outside All

4. Destination SQL server

5. TCP eq any

5. Destination port eq 1433


We have people needing to VPN and sync files to the SQL but only through VPN. Another application is the Citrix which people needing to access.

Any help would be greatly appreciated.

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 4 months ago

5510 probably. Take a look at this comparison chart if you haven't already.


Oh, and don't forget the new reputable firewall guy :)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
acomiskey Thu, 05/31/2007 - 08:58

If the sql server is getting hit on port 1433 from the outside then there must be a specific rule allowing that traffic. Therefore you would remove the existing permit and it would therefore be denied. Does this help?

Sluggofish Thu, 05/31/2007 - 09:18

I see that there are nine Access Rules. Some I can rule out. I put NA next to the ones I think do not apply; it is intended on my part as trying to understand.

Do you know from this information which I need to change? Is there more than one needing changing?

The services listed are:

1 ip, NA

2 icmp,

3 pptp/tcp,

4 gre, NA

5 https/tcp,

6 http/tcp,

7 3389/tcp, NA previous support group server1

8 3389/tcp, NA previous support group server2

9 smtp/tcp.

Thanks for the quick reply before.

acomiskey Thu, 05/31/2007 - 09:28

What network is the sql server on, and on which interface of firewall is it attached to?

What is the source of the 1433 traffic you are attempting to deny, and which interface is this coming from on the firwall?

I assume it is coming from outside to inside, but from what you have posted above, sqlnet is not permitted, so this must not be the case. That 1st one isn't permit ip any any is it?

Sluggofish Thu, 05/31/2007 - 10:40


Cisco 2600

Pix 506e

SBS2003SP2: housing, SQL2005 for CRM, Exchange, and Domain Controller

WinServ2003: Data files and citrix

25 inside clients

15 outside clients

Using Strong Password Encryption

The traffic is from outside. This is what I am getting from the Monitoring report log which leads me to believe that there is an effor to get into our port 1433. At least that is what I have been told by a security member at Microsoft. They said I had to turn off 1433 port.

This is the message from the monitoring report:

Login failed for user 'sa'. [CLIENT:]

The first on is source is from both servers, destination outstide:any, interface is inside (outbound), service is ip, description is Implicit outbound rule.

Does this help?

acomiskey Thu, 05/31/2007 - 11:10

If you could post the textual config that would be great. I think you can get it from the File menu?

Sluggofish Thu, 05/31/2007 - 11:19

Building configuration...

: Saved


PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100


hostname ETI-FW-01

domain-name et-inc.biz

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000



name PIX-560e

name 216.x.x.0 SiteTechLLC


access-list acl_out permit icmp any any

access-list acl_out permit tcp any any eq 1723

access-list acl_out permit gre any any

access-list acl_out permit tcp any any eq 443

access-list acl_out permit tcp any any eq www

access-list acl_out permit tcp SiteTechLLC host eq 3389

access-list acl_out permit tcp SiteTechLLC host eq 3389

access-list acl_out permit tcp any host eq smtp

access-list acl_out permit ip any any

access-list 100 permit ip

no pager

logging on

logging timestamp

logging console debugging

logging buffered warnings

logging facility 23

logging queue 8192

interface ethernet0 10full

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 216.x.x.190

ip address inside PIX-560e

ip audit info action alarm

ip audit attack action alarm

ip local pool vpngroup

pdm location inside

pdm location PIX-560e inside

pdm location inside

pdm location outside

pdm location outside

pdm location outside

pdm location ET-SERVER2 inside

pdm location SiteTechLLC outside

pdm location ET-SERVER1 inside

pdm history enable

arp timeout 14400

global (outside) 1 netmask

nat (inside) 0 access-list 100

nat (inside) 1 0 0

static (inside,outside) ET-SERVER2 netmask 0 0

static (inside,outside) ET-SERVER1 netmask 0 0

access-group acl_out in interface outside

route outside 1

timeout xlate 24:00:00

timeout conn 12:00:00 half-closed 1:00:00 udp 1:00:00 rpc 1:00:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 1:00:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community ETIpublic

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map etiremote 10 set transform-set myset

crypto map remote 10 ipsec-isakmp dynamic etiremote

crypto map remote interface outside

isakmp enable outside

isakmp key ******** address 216.x.x.190 netmask no-xauth no-config-mode

isakmp identity address

isakmp keepalive 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup etiremote address-pool vpngroup

vpngroup etiremote wins-server

vpngroup etiremote default-domain eti-inc.biz

vpngroup etiremote idle-time 1800

vpngroup etiremote password ********

telnet inside

telnet timeout 30

ssh 64.255.x.x.255.255.255 outside

ssh 64.255.x.x.255.255.255 outside

ssh 64.255.x.x.255.255.0 outside

ssh inside

ssh timeout 5

terminal width 80


: end


acomiskey Thu, 05/31/2007 - 11:29

This line is allowing any from the outside to any on the inside, which is very bad. Remove this one...

access-list acl_out permit ip any any

After you do that the only thing open to ET-SERVER1 from the outside would be icmp, 1723, gre, 443, www, 3389 and smtp. Not sql. You should not see any more sql hits from anywhere outside.

Sluggofish Fri, 06/01/2007 - 09:00

I think that did it. Thanks. I explained to the local person, in charge of networking who is admittedly not IT, and he could not believe that it was set up that way. They are going to go back to the "reputable" service providers and ask why.

On another note. Did you see any reason why we have to reset the 506e to reconnect users to the internet? It happened again today. Someone left the building with their laptop and cam in a day or two later plugged into the network turned on the laptop and connected to the network. E-mail and local connections are fine but the only way I can get him Internet Access is to power off the unit and turn it back on while he is connected to the Internet. Repairing the network adapter does or restarting the laptop not help either. I do have a post elsewhere in forum but it has not resolved the issue.

If you do not know that is fine. You have been a great help and quick with responses. Amazingly quick!

acomiskey Fri, 06/01/2007 - 09:43

Have you looked for a bug or considered upgrading from 6.1?

Sluggofish Fri, 06/01/2007 - 09:54

Kind of funny you should say what you did. Yes we had a rootkit recently and for how long is anyone's guess. But it seems gone now and all services and applications are working properly. We are looking at reasonable upgrades for the system like adding a box for SQL. We are looking at upgrading and a few ideas. Which model of ASA would you receommend?

Currently, 40 clients with about half accessing via internet to Citrix and VPN for CRM 3.0. Two boxes at this time SBS2003 and Win2003.

I am going to time you this time since you seem to be reading this as I type.

acomiskey Thu, 05/31/2007 - 11:46

Ah thanks for the correction, but I did say sql in my last post. :)


This Discussion