08-15-2007 07:09 AM - edited 03-11-2019 03:58 AM
Hi Folks,
I recently made some changes on our firewall to use port redirection. Essentially, I wanted to use a different port for people on the outside to connect to my SQL server. Thanks to those that answered my post, everthing works great.
However, I noticed that if someone on the local network uses the server (the one the changes effect) to make a connection to the Internet, suddenly, no one one on the outside can connect to the machine. I have to clear the XLATE table before it accepts connections. (all other connections are fine)
I examined the xlate table and it appears that when an outbound connection is made, it uses one of my global addresses instead of the static address I setup.
I've posted a partial config and xlate table for review. If someone could let me know what I did wrong, I would appreciate it...Thanks
access-list outside_access_in permit tcp any host x.x.x.109 eq 7505
access-list outside_access_in permit tcp any host x.x.x.109 eq 7506
access-list outside_access_in permit tcp any host x.x.x.109 eq pcanywhere-data
access-list outside_access_in permit tcp any host x.x.x.109 eq 5632
access-list outside_access_in permit tcp any host x.x.x.109 eq www
access-list outside_access_in permit tcp any host x.x.x.109 eq https
static (inside,outside) tcp x.x.x.109 5632 192.168.0.109 5632 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.109 pcanywhere-data 192.168.0.109 pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.109 7505 192.168.0.109 1433 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.109 7506 192.168.0.109 1434 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.109 www 192.168.0.109 www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.109 https 192.168.0.109 https netmask 255.255.255.255 0 0
static (outside,inside) 192.168.0.109 x.x.x.109 netmask 255.255.255.255 0 0
XLATE Connection (partial)
PAT Global x.x.x.109(80) Local 192.168.0.109(80)
Global x.x.x.111 Local 192.168.0.109
The above global statement should use the same .109 address when a connection is made to the outside, but for some reason it grabs one of the addresses from my dynamic pool (it starts at 110).
Solved! Go to Solution.
08-17-2007 07:19 AM
Scott
Glad you got it working and thanks for letting me know.
Weirdly the solution Cisco gave you was one of the first things i tried in my lab but i seemed to get very inconsistent results. I guess it could have been something else in the lab setup.
Anyway thanks for letting me know
Jon
08-15-2007 08:50 AM
Hi
I'm not sure what the following statement is meant to achieve
static (outside,inside) 192.168.0.109 192.168.0.109
Is 192.168.0.109 on the inside of the pix which it seems to be from the config ?
Jon
08-15-2007 09:05 AM
Yes, the 192.168.0.109 address is on the inside.
Forgive my ignorance, but I though with static translations, I need to translate from the outside interface to the inside interface AND from the Inside interface to the outside.
Is this not the case?
I want folks from the outside to translate to the 192.168.0.109 address and any connections that originate from the inside to use the x.x.x.109 address.
08-15-2007 09:26 AM
Hi
No you don't need this statement.
static (inside,outside) x.x.x.109 80 192.168.0.109 80
means
From the outside you can access the 192.168.0.109 server on port 80 by connecting to x.x.x.109 on port 80.
It also translates the the 192.168.0.109 server to x.x.x.109 when it connects out.
static (outside,inside) syntax is usually used for translating source IP addresses.
HTH
Jon
08-15-2007 09:44 AM
Thanks for the info Jon.
I removed the statement as you suggested, cleared xlate, and tried my scenario.
Unfortunately, it still doesn't work.
Inbound connections are redirected to the correct port. However, as soon as I start an outbound connection (browser to Internet) from the machine, it grabs an address from my global pool. At that time, any future inbound connections are unsuccessful. If I clear xlate, then things resume normally.
I know with PAT, once I specifically redirect a port, I must use additional static statements for any other ports I want opened. But what tells the PIX to use the address I defined when it is outbound?
I never had this problem until I started to redirect one port to another. As you might guess, I had many individuals attempting logins on my SQL server with the standard port. Since I've redirected the ports, this has ended, yet I have this new problem...
Thanks in advance.
Scott
08-15-2007 09:53 AM
Scott
you are translating the x.x.x.109 address to 192.168.0.109 for all the ports so why not just have one static statement
static (inside,outside) x.x.x.109 192.168.0.109 netmask 255.255.255.255
Jon
08-15-2007 10:17 AM
And then restrict which ports you want open with ACL's.
08-15-2007 12:10 PM
I did have it the way you suggested. The problem is that is I do as you suggest, and open the port for SQL (1433), everyone attempts to hack into my SQL database.
By using port redirection, 7505 ---> 1433, it makes it a little tougher for someone on the outside. They don't know it is an SQL port.
08-15-2007 12:12 PM
If there is a better way to do this, then please let me know
08-15-2007 12:19 PM
The PIX/ASA has an sql inspection engine to prevent attacks. If you want to use a different port, then change the port in the SQL server and then allow that port.
Check this link:
08-15-2007 12:38 PM
Scott
if you are using a different port than the standard SQL port then who are your users ? How do you communciate to them that they have to connect to a different port ?
The problem is the any. Is this because your users can access the server from any IP address ?
Jon
08-15-2007 12:47 PM
My users are customers that hit the SQL server from a website we've developed. I can easily control what port they connect to, so for this reason, changing the port isn't an issue. My main concern is the bozo's that find an open SQL port and attempt to access the SQL database through the standard SA, ADMIN, or Root accounts. My logs show 5-6 attempts per second at guessing the password for these accounts. We've hardened the system by disabling these common accounts, but I was hoping that redirecting the port would cure most of the attempts. Once I added the static statement to change the port numbers, the entries in the log stopped. As I posted the issue is when I create an outgoing connection from the server. All I have to do is open a browser and access a webpage, and it uses an address from the NAT pool instead of the static address I want.
An option is to change the actual port that SQL operates on, but I was hoping I wouldn't have too.
08-15-2007 12:50 PM
Scott
If the users are coming from a website you have developed do you not know the source IP address that is making the query against your SQL server.
Is it the customer IP addresses or does your web server make the request on their behalf ?
Jon
08-15-2007 12:55 PM
I stand corrected. It is not a website, but software that is developed. The source addresses will vary. Our developers can make the connection using any port. By using a port other than 1433, and redirecting it, I minimize the attacks.
08-15-2007 01:00 PM
Okay, just though it might be worth pursuing.
I can probably guess the answer :) but i don't suppose you have any spare public IP addresses ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: