I need to do costum service traffic inspection to a SQL server inside interface communicate with the dmz interface server.
I need INSIDE useres access(http/https and other site in port 100) my web server(DMZ) which have a service that accesses the SQL server to autheticate in port tcp 1433 and the SQL server responde in a dynamic port.
How can I inspect this traffic do this maintaing the default inspection to the inside interface?
I am not quite sure I understand the question or what you would want the ASA to do.
The most typical situation related to SQL that people have related to ASA has been a problem with connection timeouts on the ASA. In those situations we have had to build a specific rule for SQL traffic to either make its timeout longer or configure a TCP Keepalive for it.
Again, I am not sure what you want the ASA do for you in this situation.
In the DMZ I have a Webserver, and when a user want to make login into the page, the page makes a conection to the SQL server in the INSDE network.
Another important fact is, the webserver contact the SQL server from through the tcp 1433 and usp 1434, but the sql server awser in dynamic port.
So I nedd to insert permit that traffic from DMZ to inside network. But don´t know why the sql don´t awnser when I make ACL permiting traffic from DMZ to inside in the ports above indicated.
So I thinked in costum class map with service port. But I found litle/none documentation to do that. And I have other situations that need this procedure. Ex: Have in inside interface software with update in port 5577 none configurable.
So I need inspect a class map none default traffic.
DMZ server initiates connection to Internal server
Internal server initiates connection to DMZ server
I can't comment much on how the actual Web server and SQL server operate but the connections formed between them should be possible by simply making sure that the ACLs allow the traffic and there is nothing else preventing these connections from forming on the firewall.
I am not sure though why the Web server forms a connection to the SQL server and then the SQL server opens a new connection to the Web server?
What is the device you are using as a firewall? Is it a Cisco ASA5505 perhaps? On ASA5505 having only Base License would mean that you would be allowed to have only 3 Vlans one of which would be limited from connecting to one of the 2 other Vlans with the command "no forward interface interface Vlanx"
If you are using ASA5505 then the above thing might be preventing the DMZ from contacting the Internal network. But its a bit far fetched but thought I'd point it out.
I dont think you can use the MPF on the ASA to affect what is allowed between your 2 different network segments. To my understanding it is used to modify already allowed connections like changing timeouts and connection limits.
If you have problem with connectivity between different ASA firewall interfaces I would suggest first opening up the ASDM monitoring view with appropriate logging level and then attempting these connections and see what is failing according to the logs.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :