Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Microsoft SQL and Ports for Outside Access to DMZ

I need to know how to open up the proper ports on my PIX 515 v6.2(1) to work with my Microsoft SQL server which is hosted from my DMZ.

I imagine it is a port opening problem and I have opened port 1433 but it does not work.

I have already created the static and conduit rules mapping the private to public IP addresses and have made the proper DNS entries for the SQL server but when I try to create a system DSN I keep getting an error.

Can any one please help.

Regards,

Benjamin Saenz

<A HREF="mailto:cisco@wholesaleurl.com">cisco@wholesaleurl.com</A>

2 REPLIES
Community Member

Re: Microsoft SQL and Ports for Outside Access to DMZ

I believe that you are on the right track. In order to find out what ports are used, even though 1433 should be enough, do this from a DMZ if possible,but it can be done from the outside, as it only takes a minute, just do not forget to pacth the hole.....

1) Change your conduit to accept *all* IP traffic

2) Use a PC which is located on the outside (or DMZ) and connect to the SQL server

3) As we now accept all IP trafic this should work, if not...., there is something else wrong.

4) At the same time you access the SQL server from the outside have a telnet session to the pix ready and issue the following command :

show conn local xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx is the "real" ip address of your sql server. This command wil show you what ports are used in this communication.

5) Adjust your conduit according to your findings in step 4 so that it does *ONLY* allow the needed ports.

I hope this works for you.

Goran

Community Member

Re: Microsoft SQL and Ports for Outside Access to DMZ

Thank you very much for your rsponse. As it turns out the port 1433 was the only one necessary as I needed to reload the PIX for it to take effect.

All is working well.

However please post the exact comand to allow all IP traffic in so I can trouble shoot other connections in the future.

You mention "1) Change your conduit to accept *all* IP traffic" and I need th eexact example:

conduit permit TCP etc...

Many thanks for your response.

Regards,

Ben

384
Views
0
Helpful
2
Replies
CreatePlease to create content