12-11-2007 04:19 PM - edited 03-11-2019 04:42 AM
Hi All,
I am new to the ASA and trying to set up NAT to allow a web server to access port 1433 on an inside sql server. I have been able to successfully use the static nat command to open port 80 and 443 from the outside interface to the dmz but can't seem to figure out dmz--> inside.
Trying to allow sql access from webserver to SQL box on inside network
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.10.1.1 255.255.255.0
global (outside) 1 x.x.x.200-x.x.x.245 netmask 255.255.255.0
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
web server is 10.10.1.10
sql box 192.168.0.11
10.10.1.11 open address on dmz subnet
static (inside,dmz) 192.168.0.11 10.10.1.11 netmask 255.255.255.255
access-list DMZtoInside extended permit tcp host 10.10.1.10 host 10.10.1.11 eq 1433
access-group DMZtoInside in interface dmz
Any suggestion.
Thanks in advance
Zuke
12-11-2007 06:10 PM
You could change the static as:
static (inside,dmz) 192.168.0.11 192.168.0.11 netmask 255.255.255.255
ACL
access-list DMZtoInside permit tcp host 10.10.1.10 host 192.168.0.11 eq 1433
access-group DMZtoInside in interface dmz
HTH
Jorge
12-12-2007 10:16 AM
Hi Jorge,
Thanks for your response. That worked for allowing the server to access the 1433 port,
However, when I applied the access-group
access-group DMZtoInside in interface dmz
the server 10.10.1.10 in the dmz could no longer perform an nslookup, e.g. no mail outbound
Log shows
4 Dec 12 2007 10:44:03 106023 10.10.1.10 66.93.87.2 Deny udp src dmz:10.10.1.10/1027 dst outside:66.93.87.2/53 by access-group "DMZtoInside" [0x0, 0x0]
Did I miss something.
Cheers - Zuke
12-12-2007 10:30 AM
where does your dns server seats, inside interface or outside?
12-12-2007 10:55 AM
You want to do something like this...
access-list DMZtoInside permit tcp host 10.10.1.10 host 192.168.0.11 eq 1433
access-list DMZtoInside deny ip any 192.168.0.0 255.255.255.0
access-list DMZtoInside permit ip any any
access-group DMZtoInside in interface dmz
12-12-2007 11:09 AM
That worked.
Thanks for everyone's help.
Cheers - Zuke
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide