Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT port 1433 (SQL) from dmz to inside server

Hi All,

I am new to the ASA and trying to set up NAT to allow a web server to access port 1433 on an inside sql server. I have been able to successfully use the static nat command to open port 80 and 443 from the outside interface to the dmz but can't seem to figure out dmz--> inside.

Trying to allow sql access from webserver to SQL box on inside network

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.0

!

interface Vlan3

nameif dmz

security-level 50

ip address 10.10.1.1 255.255.255.0

global (outside) 1 x.x.x.200-x.x.x.245 netmask 255.255.255.0

global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

web server is 10.10.1.10

sql box 192.168.0.11

10.10.1.11 open address on dmz subnet

static (inside,dmz) 192.168.0.11 10.10.1.11 netmask 255.255.255.255

access-list DMZtoInside extended permit tcp host 10.10.1.10 host 10.10.1.11 eq 1433

access-group DMZtoInside in interface dmz

Any suggestion.

Thanks in advance

Zuke

5 REPLIES

Re: NAT port 1433 (SQL) from dmz to inside server

You could change the static as:

static (inside,dmz) 192.168.0.11 192.168.0.11 netmask 255.255.255.255

ACL

access-list DMZtoInside permit tcp host 10.10.1.10 host 192.168.0.11 eq 1433

access-group DMZtoInside in interface dmz

HTH

Jorge

New Member

Re: NAT port 1433 (SQL) from dmz to inside server

Hi Jorge,

Thanks for your response. That worked for allowing the server to access the 1433 port,

However, when I applied the access-group

access-group DMZtoInside in interface dmz

the server 10.10.1.10 in the dmz could no longer perform an nslookup, e.g. no mail outbound

Log shows

4 Dec 12 2007 10:44:03 106023 10.10.1.10 66.93.87.2 Deny udp src dmz:10.10.1.10/1027 dst outside:66.93.87.2/53 by access-group "DMZtoInside" [0x0, 0x0]

Did I miss something.

Cheers - Zuke

Re: NAT port 1433 (SQL) from dmz to inside server

where does your dns server seats, inside interface or outside?

Green

Re: NAT port 1433 (SQL) from dmz to inside server

You want to do something like this...

access-list DMZtoInside permit tcp host 10.10.1.10 host 192.168.0.11 eq 1433

access-list DMZtoInside deny ip any 192.168.0.0 255.255.255.0

access-list DMZtoInside permit ip any any

access-group DMZtoInside in interface dmz

New Member

Re: NAT port 1433 (SQL) from dmz to inside server

That worked.

Thanks for everyone's help.

Cheers - Zuke

2319
Views
5
Helpful
5
Replies