ASA5520 rule for databsae network

Unanswered Question
Apr 16th, 2008
User Badges:

Could anyone advice, if I have database servers subnetwork behind an ASA5520 box, (application servers do not behind the ASA5520), what rules I need add in, basically?

what if the servers are unix server and what if the servers are window server?

Any comments will be appreciated

Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Wed, 04/16/2008 - 21:35
User Badges:
  • Green, 3000 points or more

It depends what type of database, for example we have sql database, for apps to talk to sql database servers needing to cross firewall I opened tcp port 1433 which is the SQL tcp ports needed for client apps or servers needing to talk to sql database server.. basically you need to find out what database is that you are running and what are their required tcp ports to be opened in firewalls.




julxu Wed, 04/30/2008 - 19:01
User Badges:

Jorge, great thanks.

except certain ports, I also need to get something which unix box always do - alow all the communicate session which original issued by DB server itself.

Could you and other expert advice me how can I do on ACL?

Thanks in advance.

kapish.mohole Wed, 04/30/2008 - 21:03
User Badges:


Basically, you need to understand what flows in your network and how.

If you collect certain details and study of your application and DB software to understand their connection initiation and necessity, it will give you a better picture of flow map with port numbers.

Then according to this prepare access list on both interfaces. Ports you need to open will depend on the application and DB software, not really on the OS type unless they have any independent communication requirement outside of the app and DB. While placing access lists you can always put a permit line between those two subnets and then deny any to any line.



This Discussion