Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Talking to SQL server from DMZ

I was able to get a web server that we have on our DMZ to communicate with my SQL server but I wanted to know if anyone knew why I needed to use gt 1024 in my access statement.

I orginialy tried to use

access-list DMZ extended permit tcp host eq 1433 host eq 1433

but had to change it to

access-list fromDMZ extended permit tcp host gt 1024 host eq 1433

in order for it to work.

Just trying to figure out why?

Any info would be helpful.



Re: Talking to SQL server from DMZ


Here's an excerpt from the link below that should answer your query concerning the ports used by SQL client/server...

When the client establishes a TCP/IP connection, a three-way handshake is done. The client opens a source port and sends traffic to a destination port, which by default is 1433. The client source port in use is random, but is greater than 1024. By default, when an application requests a socket from the system for an outbound call, a port between the values of 1024 and 5000 is supplied.

As you can see, the client always uses a source port in the range of 1024 to 5000 if you want to be more granular in the traffic allowed from host you can configure the access-list as follows;

access-list fromDMZ extended permit tcp host range 1024 5000 host eq 1433




Re: Talking to SQL server from DMZ

Here is the reason-

"host eq 1433" This portion in your first access-list defines the source IP, and source port from where connection will initiate. Now .. as the way TCP works, if a host initiates a connection, it the source port used to initiate the connection is always greated than 1024, because all ports lower than that are ports registered for specific services. This is the reason your connection never worked.

In the next ACL, following portion defines the source IP and source port-

"host gt 1024", this is exactly as per the norms, hence the connection works !!

Ideally, your ACL should be like this-

access-list fromDMZ extended permit tcp host host eq 1433

You dont need to worry about the source port. All we need to take care about is the destination port.

I hope this explains.



Community Member

Re: Talking to SQL server from DMZ

the reason is needs the ports above 1024 is that SQL used dynamically allocated ports above 1024 for communication between a SQL Server and client. I belive you can change this to use predetermined prots and there are some KB articiles on the MS site that detail this.


Hall of Fame Super Blue

Re: Talking to SQL server from DMZ


When a client which in your case is the web server talks to a server, the SQL server, the destination port is the service port on the server ie 1433 in this case which is SQL. However the client port is very rarely the same port number as this is not the way tcp/udp works.

The client generates a dynamic port number above 1024 to use for the communication. This is pretty much how all client/server communication takes place. So another example



server is running telnet service ie TCP/port 23.

On your client you typew "telnet". Your client genrates a random port number eg 5541 and sends a TCP SYN packet to the server, so

source port 5541

destination port 23

When servre responds it sends packet back

source port 23

destintion port 5541




CreatePlease to create content