Re: Allow SQL traffic from dmz host to internal SQL server

djames · ‎11-28-2006

I have a webserver(192.168.10.2) on a DMZ network off of a ASA 5510 7.1(2). It needs to communicate with a MSSQL server(10.10.4.48) on the internal network. What ports, if any, other than tcp 1433 do I need to allow this to happen? I have tried tcp1433 both ways and the webserver is still not able to access the SQL database on the internal network

t-heeter · ‎11-28-2006

Is there any communication at all?

You may be missing a static (inside,DMZ) statement.

m.sir · ‎11-28-2006

for PIX low security to high security traffic , it must meet two requirement:

1. acl permitted static command configured

2. static command configured

It seems you have already permited communication with ACL

You need following static command its so called identity NAT

static (inside,dmz) 10.10.4.48 10.10.4.48 netmask 255.255.255.255

M.

Hope that helps rate if it does

djames · ‎11-28-2006

I already have the static map configured. My internal subnetmask is a /23 and my dmz is a /24. My static map is:

static (Inside,DMZ) 10.10.4.0 10.10.4.0 netmask 255.255.254.0.

I have an ACL access-list INSIDE extended permit tcp host 192.168.10.2 host 10.10.4.48 eq 1433. Is there something I am missing. For testing purposes I would like to be able to 'ping' 10.10.4.48 from 192.168.10.2 as well.

t-heeter · ‎11-28-2006

Is access-list INSIDE applied to DMZ interface?

access-group INSIDE in interface DMZ