Microsoft SQL and Ports for Outside Access to DMZ

Unanswered Question
May 4th, 2002
User Badges:

I need to know how to open up the proper ports on my PIX 515 v6.2(1) to work with my Microsoft SQL server which is hosted from my DMZ.

I imagine it is a port opening problem and I have opened port 1433 but it does not work.


I have already created the static and conduit rules mapping the private to public IP addresses and have made the proper DNS entries for the SQL server but when I try to create a system DSN I keep getting an error.


Can any one please help.

Regards,

Benjamin Saenz

<A HREF="mailto:[email protected]">[email protected]</A>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gradosavljevic Wed, 05/08/2002 - 15:05
User Badges:

I believe that you are on the right track. In order to find out what ports are used, even though 1433 should be enough, do this from a DMZ if possible,but it can be done from the outside, as it only takes a minute, just do not forget to pacth the hole.....


1) Change your conduit to accept *all* IP traffic


2) Use a PC which is located on the outside (or DMZ) and connect to the SQL server


3) As we now accept all IP trafic this should work, if not...., there is something else wrong.


4) At the same time you access the SQL server from the outside have a telnet session to the pix ready and issue the following command :


show conn local xxx.xxx.xxx.xxx


where xxx.xxx.xxx.xxx is the "real" ip address of your sql server. This command wil show you what ports are used in this communication.


5) Adjust your conduit according to your findings in step 4 so that it does *ONLY* allow the needed ports.


I hope this works for you.

Goran

bsaenz Thu, 05/09/2002 - 07:39
User Badges:

Thank you very much for your rsponse. As it turns out the port 1433 was the only one necessary as I needed to reload the PIX for it to take effect.


All is working well.


However please post the exact comand to allow all IP traffic in so I can trouble shoot other connections in the future.


You mention "1) Change your conduit to accept *all* IP traffic" and I need th eexact example:


conduit permit TCP etc...


Many thanks for your response.


Regards,

Ben

Actions

This Discussion