Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5520 rule for databsae network

Could anyone advice, if I have database servers subnetwork behind an ASA5520 box, (application servers do not behind the ASA5520), what rules I need add in, basically?

what if the servers are unix server and what if the servers are window server?

Any comments will be appreciated

Thanks in advance


Re: ASA5520 rule for databsae network

It depends what type of database, for example we have sql database, for apps to talk to sql database servers needing to cross firewall I opened tcp port 1433 which is the SQL tcp ports needed for client apps or servers needing to talk to sql database server.. basically you need to find out what database is that you are running and what are their required tcp ports to be opened in firewalls.




New Member

Re: ASA5520 rule for databsae network

Jorge, great thanks.

except certain ports, I also need to get something which unix box always do - alow all the communicate session which original issued by DB server itself.

Could you and other expert advice me how can I do on ACL?

Thanks in advance.

New Member

Re: ASA5520 rule for databsae network


Basically, you need to understand what flows in your network and how.

If you collect certain details and study of your application and DB software to understand their connection initiation and necessity, it will give you a better picture of flow map with port numbers.

Then according to this prepare access list on both interfaces. Ports you need to open will depend on the application and DB software, not really on the OS type unless they have any independent communication requirement outside of the app and DB. While placing access lists you can always put a permit line between those two subnets and then deny any to any line.