05-31-2007 07:55 AM - edited 03-11-2019 03:23 AM
I am the most experience techy here but am admittedly out of my element here with setting the 506e to block port 1433. The SQL server is getting hits from outside. Can someone step me through this?
Do I:
1. create a Access Rule
2. select deny
3. Source Interface: outside All
4. Destination SQL server
5. TCP eq any
5. Destination port eq 1433
Network:
We have people needing to VPN and sync files to the SQL but only through VPN. Another application is the Citrix which people needing to access.
Any help would be greatly appreciated.
Solved! Go to Solution.
06-01-2007 10:05 AM
5510 probably. Take a look at this comparison chart if you haven't already.
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
Oh, and don't forget the new reputable firewall guy :)
05-31-2007 08:58 AM
If the sql server is getting hit on port 1433 from the outside then there must be a specific rule allowing that traffic. Therefore you would remove the existing permit and it would therefore be denied. Does this help?
05-31-2007 09:18 AM
I see that there are nine Access Rules. Some I can rule out. I put NA next to the ones I think do not apply; it is intended on my part as trying to understand.
Do you know from this information which I need to change? Is there more than one needing changing?
The services listed are:
1 ip, NA
2 icmp,
3 pptp/tcp,
4 gre, NA
5 https/tcp,
6 http/tcp,
7 3389/tcp, NA previous support group server1
8 3389/tcp, NA previous support group server2
9 smtp/tcp.
Thanks for the quick reply before.
05-31-2007 09:28 AM
What network is the sql server on, and on which interface of firewall is it attached to?
What is the source of the 1433 traffic you are attempting to deny, and which interface is this coming from on the firwall?
I assume it is coming from outside to inside, but from what you have posted above, sqlnet is not permitted, so this must not be the case. That 1st one isn't permit ip any any is it?
05-31-2007 10:40 AM
Network:
Cisco 2600
Pix 506e
SBS2003SP2: 216.91.146.162 housing, SQL2005 for CRM, Exchange, and Domain Controller
WinServ2003: Data files and citrix
25 inside clients
15 outside clients
Using Strong Password Encryption
The traffic is from outside. This is what I am getting from the Monitoring report log which leads me to believe that there is an effor to get into our port 1433. At least that is what I have been told by a security member at Microsoft. They said I had to turn off 1433 port.
This is the message from the monitoring report:
Login failed for user 'sa'. [CLIENT: 200.123.132.141]
The first on is source is from both servers, destination outstide:any, interface is inside (outbound), service is ip, description is Implicit outbound rule.
Does this help?
05-31-2007 11:10 AM
If you could post the textual config that would be great. I think you can get it from the File menu?
05-31-2007 11:19 AM
Building configuration...
: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
**
hostname ETI-FW-01
domain-name et-inc.biz
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.10.9 ET-SERVER2
name 192.168.10.100 PIX-560e
name 216.x.x.0 SiteTechLLC
name 192.168.10.234 ET-SERVER1
access-list acl_out permit icmp any any
access-list acl_out permit tcp any any eq 1723
access-list acl_out permit gre any any
access-list acl_out permit tcp any any eq 443
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp SiteTechLLC 255.255.255.0 host 216.91.146.162 eq 3389
access-list acl_out permit tcp SiteTechLLC 255.255.255.0 host 216.91.146.163 eq 3389
access-list acl_out permit tcp any host 216.91.146.162 eq smtp
access-list acl_out permit ip any any
access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
no pager
logging on
logging timestamp
logging console debugging
logging buffered warnings
logging facility 23
logging queue 8192
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 216.x.x.190 255.255.255.224
ip address inside PIX-560e 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpngroup 192.168.1.1-192.168.1.25
pdm location 192.168.10.2 255.255.255.255 inside
pdm location PIX-560e 255.255.255.255 inside
pdm location 192.168.10.10 255.255.255.255 inside
pdm location 64.255.240.8 255.255.255.255 outside
pdm location 64.255.240.51 255.255.255.255 outside
pdm location 64.255.240.0 255.255.255.0 outside
pdm location ET-SERVER2 255.255.255.255 inside
pdm location SiteTechLLC 255.255.255.0 outside
pdm location ET-SERVER1 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 216.91.146.169-216.91.146.189 netmask 255.255.255.224
nat (inside) 0 access-list 100
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
static (inside,outside) 216.91.146.163 ET-SERVER2 netmask 255.255.255.255 0 0
static (inside,outside) 216.91.146.162 ET-SERVER1 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 216.91.146.161 1
timeout xlate 24:00:00
timeout conn 12:00:00 half-closed 1:00:00 udp 1:00:00 rpc 1:00:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 1:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community ETIpublic
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map etiremote 10 set transform-set myset
crypto map remote 10 ipsec-isakmp dynamic etiremote
crypto map remote interface outside
isakmp enable outside
isakmp key ******** address 216.x.x.190 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup etiremote address-pool vpngroup
vpngroup etiremote wins-server 192.168.10.10
vpngroup etiremote default-domain eti-inc.biz
vpngroup etiremote idle-time 1800
vpngroup etiremote password ********
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 30
ssh 64.255.x.x.255.255.255 outside
ssh 64.255.x.x.255.255.255 outside
ssh 64.255.x.x.255.255.0 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 5
terminal width 80
Cryptochecksum:xxxx
: end
[OK]
05-31-2007 11:29 AM
This line is allowing any from the outside to any on the inside, which is very bad. Remove this one...
access-list acl_out permit ip any any
After you do that the only thing open to ET-SERVER1 from the outside would be icmp, 1723, gre, 443, www, 3389 and smtp. Not sql. You should not see any more sql hits from anywhere outside.
06-01-2007 09:00 AM
I think that did it. Thanks. I explained to the local person, in charge of networking who is admittedly not IT, and he could not believe that it was set up that way. They are going to go back to the "reputable" service providers and ask why.
On another note. Did you see any reason why we have to reset the 506e to reconnect users to the internet? It happened again today. Someone left the building with their laptop and cam in a day or two later plugged into the network turned on the laptop and connected to the network. E-mail and local connections are fine but the only way I can get him Internet Access is to power off the unit and turn it back on while he is connected to the Internet. Repairing the network adapter does or restarting the laptop not help either. I do have a post elsewhere in forum but it has not resolved the issue.
If you do not know that is fine. You have been a great help and quick with responses. Amazingly quick!
06-01-2007 09:43 AM
Have you looked for a bug or considered upgrading from 6.1?
06-01-2007 09:54 AM
Kind of funny you should say what you did. Yes we had a rootkit recently and for how long is anyone's guess. But it seems gone now and all services and applications are working properly. We are looking at reasonable upgrades for the system like adding a box for SQL. We are looking at upgrading and a few ideas. Which model of ASA would you receommend?
Currently, 40 clients with about half accessing via internet to Citrix and VPN for CRM 3.0. Two boxes at this time SBS2003 and Win2003.
I am going to time you this time since you seem to be reading this as I type.
06-01-2007 10:05 AM
5510 probably. Take a look at this comparison chart if you haven't already.
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
Oh, and don't forget the new reputable firewall guy :)
05-31-2007 11:45 AM
Just an fyi, sqlnet is not for SQL TCP 1433 traffic, its for TCP 1521 Oracle SQLNet traffic.
05-31-2007 11:46 AM
Ah thanks for the correction, but I did say sql in my last post. :)
05-31-2007 11:49 AM
no prob, good thing you caught his "permit ip any any" on the outside int.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: