NAT port 1433 (SQL) from dmz to inside server

Unanswered Question

Hi All,


I am new to the ASA and trying to set up NAT to allow a web server to access port 1433 on an inside sql server. I have been able to successfully use the static nat command to open port 80 and 443 from the outside interface to the dmz but can't seem to figure out dmz--> inside.


Trying to allow sql access from webserver to SQL box on inside network


interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.0

!

interface Vlan3

nameif dmz

security-level 50

ip address 10.10.1.1 255.255.255.0


global (outside) 1 x.x.x.200-x.x.x.245 netmask 255.255.255.0

global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0


web server is 10.10.1.10

sql box 192.168.0.11

10.10.1.11 open address on dmz subnet


static (inside,dmz) 192.168.0.11 10.10.1.11 netmask 255.255.255.255


access-list DMZtoInside extended permit tcp host 10.10.1.10 host 10.10.1.11 eq 1433

access-group DMZtoInside in interface dmz


Any suggestion.


Thanks in advance

Zuke


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Tue, 12/11/2007 - 18:10
User Badges:
  • Green, 3000 points or more

You could change the static as:


static (inside,dmz) 192.168.0.11 192.168.0.11 netmask 255.255.255.255


ACL


access-list DMZtoInside permit tcp host 10.10.1.10 host 192.168.0.11 eq 1433

access-group DMZtoInside in interface dmz


HTH

Jorge

Hi Jorge,


Thanks for your response. That worked for allowing the server to access the 1433 port,

However, when I applied the access-group


access-group DMZtoInside in interface dmz


the server 10.10.1.10 in the dmz could no longer perform an nslookup, e.g. no mail outbound

Log shows




4 Dec 12 2007 10:44:03 106023 10.10.1.10 66.93.87.2 Deny udp src dmz:10.10.1.10/1027 dst outside:66.93.87.2/53 by access-group "DMZtoInside" [0x0, 0x0]


Did I miss something.


Cheers - Zuke


JORGE RODRIGUEZ Wed, 12/12/2007 - 10:30
User Badges:
  • Green, 3000 points or more

where does your dns server seats, inside interface or outside?

acomiskey Wed, 12/12/2007 - 10:55
User Badges:
  • Green, 3000 points or more

You want to do something like this...


access-list DMZtoInside permit tcp host 10.10.1.10 host 192.168.0.11 eq 1433

access-list DMZtoInside deny ip any 192.168.0.0 255.255.255.0

access-list DMZtoInside permit ip any any

access-group DMZtoInside in interface dmz

Actions

This Discussion