cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3600
Views
5
Helpful
5
Replies

NAT port 1433 (SQL) from dmz to inside server

mark.michini
Level 1
Level 1

Hi All,

I am new to the ASA and trying to set up NAT to allow a web server to access port 1433 on an inside sql server. I have been able to successfully use the static nat command to open port 80 and 443 from the outside interface to the dmz but can't seem to figure out dmz--> inside.

Trying to allow sql access from webserver to SQL box on inside network

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.0

!

interface Vlan3

nameif dmz

security-level 50

ip address 10.10.1.1 255.255.255.0

global (outside) 1 x.x.x.200-x.x.x.245 netmask 255.255.255.0

global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

web server is 10.10.1.10

sql box 192.168.0.11

10.10.1.11 open address on dmz subnet

static (inside,dmz) 192.168.0.11 10.10.1.11 netmask 255.255.255.255

access-list DMZtoInside extended permit tcp host 10.10.1.10 host 10.10.1.11 eq 1433

access-group DMZtoInside in interface dmz

Any suggestion.

Thanks in advance

Zuke

5 Replies 5

JORGE RODRIGUEZ
Level 10
Level 10

You could change the static as:

static (inside,dmz) 192.168.0.11 192.168.0.11 netmask 255.255.255.255

ACL

access-list DMZtoInside permit tcp host 10.10.1.10 host 192.168.0.11 eq 1433

access-group DMZtoInside in interface dmz

HTH

Jorge

Jorge Rodriguez

Hi Jorge,

Thanks for your response. That worked for allowing the server to access the 1433 port,

However, when I applied the access-group

access-group DMZtoInside in interface dmz

the server 10.10.1.10 in the dmz could no longer perform an nslookup, e.g. no mail outbound

Log shows

4 Dec 12 2007 10:44:03 106023 10.10.1.10 66.93.87.2 Deny udp src dmz:10.10.1.10/1027 dst outside:66.93.87.2/53 by access-group "DMZtoInside" [0x0, 0x0]

Did I miss something.

Cheers - Zuke

where does your dns server seats, inside interface or outside?

Jorge Rodriguez

You want to do something like this...

access-list DMZtoInside permit tcp host 10.10.1.10 host 192.168.0.11 eq 1433

access-list DMZtoInside deny ip any 192.168.0.0 255.255.255.0

access-list DMZtoInside permit ip any any

access-group DMZtoInside in interface dmz

That worked.

Thanks for everyone's help.

Cheers - Zuke

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: