cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1635
Views
0
Helpful
20
Replies

Connection issue

sgoethals1
Level 1
Level 1

Hi Folks,

I recently made some changes on our firewall to use port redirection. Essentially, I wanted to use a different port for people on the outside to connect to my SQL server. Thanks to those that answered my post, everthing works great.

However, I noticed that if someone on the local network uses the server (the one the changes effect) to make a connection to the Internet, suddenly, no one one on the outside can connect to the machine. I have to clear the XLATE table before it accepts connections. (all other connections are fine)

I examined the xlate table and it appears that when an outbound connection is made, it uses one of my global addresses instead of the static address I setup.

I've posted a partial config and xlate table for review. If someone could let me know what I did wrong, I would appreciate it...Thanks

access-list outside_access_in permit tcp any host x.x.x.109 eq 7505

access-list outside_access_in permit tcp any host x.x.x.109 eq 7506

access-list outside_access_in permit tcp any host x.x.x.109 eq pcanywhere-data

access-list outside_access_in permit tcp any host x.x.x.109 eq 5632

access-list outside_access_in permit tcp any host x.x.x.109 eq www

access-list outside_access_in permit tcp any host x.x.x.109 eq https

static (inside,outside) tcp x.x.x.109 5632 192.168.0.109 5632 netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.109 pcanywhere-data 192.168.0.109 pcanywhere-data netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.109 7505 192.168.0.109 1433 netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.109 7506 192.168.0.109 1434 netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.109 www 192.168.0.109 www netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.109 https 192.168.0.109 https netmask 255.255.255.255 0 0

static (outside,inside) 192.168.0.109 x.x.x.109 netmask 255.255.255.255 0 0

XLATE Connection (partial)

PAT Global x.x.x.109(80) Local 192.168.0.109(80)

Global x.x.x.111 Local 192.168.0.109

The above global statement should use the same .109 address when a connection is made to the outside, but for some reason it grabs one of the addresses from my dynamic pool (it starts at 110).

1 Accepted Solution

Accepted Solutions

Scott

Glad you got it working and thanks for letting me know.

Weirdly the solution Cisco gave you was one of the first things i tried in my lab but i seemed to get very inconsistent results. I guess it could have been something else in the lab setup.

Anyway thanks for letting me know

Jon

View solution in original post

20 Replies 20

Jon Marshall
Hall of Fame
Hall of Fame

Hi

I'm not sure what the following statement is meant to achieve

static (outside,inside) 192.168.0.109 192.168.0.109

Is 192.168.0.109 on the inside of the pix which it seems to be from the config ?

Jon

Yes, the 192.168.0.109 address is on the inside.

Forgive my ignorance, but I though with static translations, I need to translate from the outside interface to the inside interface AND from the Inside interface to the outside.

Is this not the case?

I want folks from the outside to translate to the 192.168.0.109 address and any connections that originate from the inside to use the x.x.x.109 address.

Hi

No you don't need this statement.

static (inside,outside) x.x.x.109 80 192.168.0.109 80

means

From the outside you can access the 192.168.0.109 server on port 80 by connecting to x.x.x.109 on port 80.

It also translates the the 192.168.0.109 server to x.x.x.109 when it connects out.

static (outside,inside) syntax is usually used for translating source IP addresses.

HTH

Jon

Thanks for the info Jon.

I removed the statement as you suggested, cleared xlate, and tried my scenario.

Unfortunately, it still doesn't work.

Inbound connections are redirected to the correct port. However, as soon as I start an outbound connection (browser to Internet) from the machine, it grabs an address from my global pool. At that time, any future inbound connections are unsuccessful. If I clear xlate, then things resume normally.

I know with PAT, once I specifically redirect a port, I must use additional static statements for any other ports I want opened. But what tells the PIX to use the address I defined when it is outbound?

I never had this problem until I started to redirect one port to another. As you might guess, I had many individuals attempting logins on my SQL server with the standard port. Since I've redirected the ports, this has ended, yet I have this new problem...

Thanks in advance.

Scott

Scott

you are translating the x.x.x.109 address to 192.168.0.109 for all the ports so why not just have one static statement

static (inside,outside) x.x.x.109 192.168.0.109 netmask 255.255.255.255

Jon

And then restrict which ports you want open with ACL's.

I did have it the way you suggested. The problem is that is I do as you suggest, and open the port for SQL (1433), everyone attempts to hack into my SQL database.

By using port redirection, 7505 ---> 1433, it makes it a little tougher for someone on the outside. They don't know it is an SQL port.

If there is a better way to do this, then please let me know

The PIX/ASA has an sql inspection engine to prevent attacks. If you want to use a different port, then change the port in the SQL server and then allow that port.

Check this link:

http://www.cisco.com/en/US/customer/docs/security/asa/asa72/configuration/guide/inspect.html#wp1347071

Scott

if you are using a different port than the standard SQL port then who are your users ? How do you communciate to them that they have to connect to a different port ?

The problem is the any. Is this because your users can access the server from any IP address ?

Jon

My users are customers that hit the SQL server from a website we've developed. I can easily control what port they connect to, so for this reason, changing the port isn't an issue. My main concern is the bozo's that find an open SQL port and attempt to access the SQL database through the standard SA, ADMIN, or Root accounts. My logs show 5-6 attempts per second at guessing the password for these accounts. We've hardened the system by disabling these common accounts, but I was hoping that redirecting the port would cure most of the attempts. Once I added the static statement to change the port numbers, the entries in the log stopped. As I posted the issue is when I create an outgoing connection from the server. All I have to do is open a browser and access a webpage, and it uses an address from the NAT pool instead of the static address I want.

An option is to change the actual port that SQL operates on, but I was hoping I wouldn't have too.

Scott

If the users are coming from a website you have developed do you not know the source IP address that is making the query against your SQL server.

Is it the customer IP addresses or does your web server make the request on their behalf ?

Jon

I stand corrected. It is not a website, but software that is developed. The source addresses will vary. Our developers can make the connection using any port. By using a port other than 1433, and redirecting it, I minimize the attacks.

Okay, just though it might be worth pursuing.

I can probably guess the answer :) but i don't suppose you have any spare public IP addresses ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: