Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5520 and inspection of MSSQL dynamic port.

Hello All.
I need to allow traffic between webserver in dmz and mssql (Microsoft SQL Server 2008).
MSSQL use dynamic port (now it is 63796) and this cannot be changed.

Basically,  I can allow such traffic using next configuration:
access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 1433
access-list dmz extended permit udp host 1.2.3.4 host 5.6.7.8 eq 1434
access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 63796

But, I would like to add mssql inspection and I did the next:

class-map class_sqlnet
match port tcp eq 1433
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
class class_sqlnet
  inspect sqlnet
service-policy global_policy global

no access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 1433
no access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 63796
access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq sqlnet

However, sh access-list shows no counts at "sqlnet" rule.

access-list dmz_in line 1 extended permit tcp host 1.2.3.4 host 5.6.7.8 eq sqlnet (hitcnt=0) 0x1364a5d3
access-list dmz_in line 2 extended permit udp host 1.2.3.4 host 5.6.7.8 eq 1434 (hitcnt=47) 0x92c5bdac

So, where is a mistake, and how can i make dynamic port working using sqlnet inspection?

Kind Regards,

Alex.

Everyone's tags (4)
2 REPLIES
Cisco Employee

ASA 5520 and inspection of MSSQL dynamic port.

sqlnet port on the ASA is 1521, not 1433.

Therefore, your original access-list is correct:

access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 1433

plus the class map that you have already configured.

New Member

Re: ASA 5520 and inspection of MSSQL dynamic port.

..

3350
Views
0
Helpful
2
Replies
CreatePlease login to create content