cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1340
Views
5
Helpful
15
Replies

506e needing to close port 1433

Sluggofish
Level 1
Level 1

I am the most experience techy here but am admittedly out of my element here with setting the 506e to block port 1433. The SQL server is getting hits from outside. Can someone step me through this?

Do I:

1. create a Access Rule

2. select deny

3. Source Interface: outside All

4. Destination SQL server

5. TCP eq any

5. Destination port eq 1433

Network:

We have people needing to VPN and sync files to the SQL but only through VPN. Another application is the Citrix which people needing to access.

Any help would be greatly appreciated.

1 Accepted Solution

Accepted Solutions

5510 probably. Take a look at this comparison chart if you haven't already.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

Oh, and don't forget the new reputable firewall guy :)

View solution in original post

15 Replies 15

acomiskey
Level 10
Level 10

If the sql server is getting hit on port 1433 from the outside then there must be a specific rule allowing that traffic. Therefore you would remove the existing permit and it would therefore be denied. Does this help?

I see that there are nine Access Rules. Some I can rule out. I put NA next to the ones I think do not apply; it is intended on my part as trying to understand.

Do you know from this information which I need to change? Is there more than one needing changing?

The services listed are:

1 ip, NA

2 icmp,

3 pptp/tcp,

4 gre, NA

5 https/tcp,

6 http/tcp,

7 3389/tcp, NA previous support group server1

8 3389/tcp, NA previous support group server2

9 smtp/tcp.

Thanks for the quick reply before.

What network is the sql server on, and on which interface of firewall is it attached to?

What is the source of the 1433 traffic you are attempting to deny, and which interface is this coming from on the firwall?

I assume it is coming from outside to inside, but from what you have posted above, sqlnet is not permitted, so this must not be the case. That 1st one isn't permit ip any any is it?

Network:

Cisco 2600

Pix 506e

SBS2003SP2: 216.91.146.162 housing, SQL2005 for CRM, Exchange, and Domain Controller

WinServ2003: Data files and citrix

25 inside clients

15 outside clients

Using Strong Password Encryption

The traffic is from outside. This is what I am getting from the Monitoring report log which leads me to believe that there is an effor to get into our port 1433. At least that is what I have been told by a security member at Microsoft. They said I had to turn off 1433 port.

This is the message from the monitoring report:

Login failed for user 'sa'. [CLIENT: 200.123.132.141]

The first on is source is from both servers, destination outstide:any, interface is inside (outbound), service is ip, description is Implicit outbound rule.

Does this help?

If you could post the textual config that would be great. I think you can get it from the File menu?

Building configuration...

: Saved

:

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

**

hostname ETI-FW-01

domain-name et-inc.biz

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 192.168.10.9 ET-SERVER2

name 192.168.10.100 PIX-560e

name 216.x.x.0 SiteTechLLC

name 192.168.10.234 ET-SERVER1

access-list acl_out permit icmp any any

access-list acl_out permit tcp any any eq 1723

access-list acl_out permit gre any any

access-list acl_out permit tcp any any eq 443

access-list acl_out permit tcp any any eq www

access-list acl_out permit tcp SiteTechLLC 255.255.255.0 host 216.91.146.162 eq 3389

access-list acl_out permit tcp SiteTechLLC 255.255.255.0 host 216.91.146.163 eq 3389

access-list acl_out permit tcp any host 216.91.146.162 eq smtp

access-list acl_out permit ip any any

access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

no pager

logging on

logging timestamp

logging console debugging

logging buffered warnings

logging facility 23

logging queue 8192

interface ethernet0 10full

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 216.x.x.190 255.255.255.224

ip address inside PIX-560e 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpngroup 192.168.1.1-192.168.1.25

pdm location 192.168.10.2 255.255.255.255 inside

pdm location PIX-560e 255.255.255.255 inside

pdm location 192.168.10.10 255.255.255.255 inside

pdm location 64.255.240.8 255.255.255.255 outside

pdm location 64.255.240.51 255.255.255.255 outside

pdm location 64.255.240.0 255.255.255.0 outside

pdm location ET-SERVER2 255.255.255.255 inside

pdm location SiteTechLLC 255.255.255.0 outside

pdm location ET-SERVER1 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 216.91.146.169-216.91.146.189 netmask 255.255.255.224

nat (inside) 0 access-list 100

nat (inside) 1 192.168.10.0 255.255.255.0 0 0

static (inside,outside) 216.91.146.163 ET-SERVER2 netmask 255.255.255.255 0 0

static (inside,outside) 216.91.146.162 ET-SERVER1 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 216.91.146.161 1

timeout xlate 24:00:00

timeout conn 12:00:00 half-closed 1:00:00 udp 1:00:00 rpc 1:00:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 1:00:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community ETIpublic

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map etiremote 10 set transform-set myset

crypto map remote 10 ipsec-isakmp dynamic etiremote

crypto map remote interface outside

isakmp enable outside

isakmp key ******** address 216.x.x.190 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp keepalive 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup etiremote address-pool vpngroup

vpngroup etiremote wins-server 192.168.10.10

vpngroup etiremote default-domain eti-inc.biz

vpngroup etiremote idle-time 1800

vpngroup etiremote password ********

telnet 192.168.10.0 255.255.255.0 inside

telnet timeout 30

ssh 64.255.x.x.255.255.255 outside

ssh 64.255.x.x.255.255.255 outside

ssh 64.255.x.x.255.255.0 outside

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 5

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

This line is allowing any from the outside to any on the inside, which is very bad. Remove this one...

access-list acl_out permit ip any any

After you do that the only thing open to ET-SERVER1 from the outside would be icmp, 1723, gre, 443, www, 3389 and smtp. Not sql. You should not see any more sql hits from anywhere outside.

I think that did it. Thanks. I explained to the local person, in charge of networking who is admittedly not IT, and he could not believe that it was set up that way. They are going to go back to the "reputable" service providers and ask why.

On another note. Did you see any reason why we have to reset the 506e to reconnect users to the internet? It happened again today. Someone left the building with their laptop and cam in a day or two later plugged into the network turned on the laptop and connected to the network. E-mail and local connections are fine but the only way I can get him Internet Access is to power off the unit and turn it back on while he is connected to the Internet. Repairing the network adapter does or restarting the laptop not help either. I do have a post elsewhere in forum but it has not resolved the issue.

If you do not know that is fine. You have been a great help and quick with responses. Amazingly quick!

Have you looked for a bug or considered upgrading from 6.1?

Kind of funny you should say what you did. Yes we had a rootkit recently and for how long is anyone's guess. But it seems gone now and all services and applications are working properly. We are looking at reasonable upgrades for the system like adding a box for SQL. We are looking at upgrading and a few ideas. Which model of ASA would you receommend?

Currently, 40 clients with about half accessing via internet to Citrix and VPN for CRM 3.0. Two boxes at this time SBS2003 and Win2003.

I am going to time you this time since you seem to be reading this as I type.

5510 probably. Take a look at this comparison chart if you haven't already.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

Oh, and don't forget the new reputable firewall guy :)

Just an fyi, sqlnet is not for SQL TCP 1433 traffic, its for TCP 1521 Oracle SQLNet traffic.

Ah thanks for the correction, but I did say sql in my last post. :)

no prob, good thing you caught his "permit ip any any" on the outside int.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: