NAT port 1433 (SQL) from dmz to inside server

Unanswered Question

Hi All,

I am new to the ASA and trying to set up NAT to allow a web server to access port 1433 on an inside sql server. I have been able to successfully use the static nat command to open port 80 and 443 from the outside interface to the dmz but can't seem to figure out dmz--> inside.

Trying to allow sql access from webserver to SQL box on inside network

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.0

!

interface Vlan3

nameif dmz

security-level 50

ip address 10.10.1.1 255.255.255.0

global (outside) 1 x.x.x.200-x.x.x.245 netmask 255.255.255.0

global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

web server is 10.10.1.10

sql box 192.168.0.11

10.10.1.11 open address on dmz subnet

static (inside,dmz) 192.168.0.11 10.10.1.11 netmask 255.255.255.255

access-list DMZtoInside extended permit tcp host 10.10.1.10 host 10.10.1.11 eq 1433

access-group DMZtoInside in interface dmz

Any suggestion.

Thanks in advance

Zuke

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Tue, 12/11/2007 - 18:10

You could change the static as:

static (inside,dmz) 192.168.0.11 192.168.0.11 netmask 255.255.255.255

ACL

access-list DMZtoInside permit tcp host 10.10.1.10 host 192.168.0.11 eq 1433

access-group DMZtoInside in interface dmz

HTH

Jorge

Hi Jorge,

Thanks for your response. That worked for allowing the server to access the 1433 port,

However, when I applied the access-group

access-group DMZtoInside in interface dmz

the server 10.10.1.10 in the dmz could no longer perform an nslookup, e.g. no mail outbound

Log shows

4 Dec 12 2007 10:44:03 106023 10.10.1.10 66.93.87.2 Deny udp src dmz:10.10.1.10/1027 dst outside:66.93.87.2/53 by access-group "DMZtoInside" [0x0, 0x0]

Did I miss something.

Cheers - Zuke

acomiskey Wed, 12/12/2007 - 10:55

You want to do something like this...

access-list DMZtoInside permit tcp host 10.10.1.10 host 192.168.0.11 eq 1433

access-list DMZtoInside deny ip any 192.168.0.0 255.255.255.0

access-list DMZtoInside permit ip any any

access-group DMZtoInside in interface dmz

Actions

This Discussion