Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Pix 506e ATTACK ON SQL

I presently have a 506e pix that has port 1433 open (SQL) and is being hit from an outside source. I want to close it off, but use it internally between another 506e pix from another location (colo to office). Can you please let me know what entries on my pix(s) I need to use to keep open the port 1433 between the two pixes, but block everyone else. Here's my info from the pix:

(PIX A)

ip address outside 66.243.86.213 255.255.255.240

ip address inside 10.0.0.1 255.0.0.0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 66.243.86.209 1

(PIX B)

access-list 101 permit tcp any host 66.243.84.172 eq smtp

access-list 101 permit tcp any host 66.243.84.173 eq 1433

static (inside,outside) 66.243.84.165 SQL2 netmask 255.255.255.255 0 0

access-group 101 in interface outside

access-group acl_inside in interface inside

route outside 0.0.0.0 0.0.0.0 66.243.84.163 1

1 REPLY
Green

Re: Pix 506e ATTACK ON SQL

Change...

access-list 101 permit tcp any host 66.243.84.173 eq 1433

to this

access-list 101 permit tcp host 66.243.86.213 host 66.243.84.173 eq 1433

This will allow only 66.243.86.213 to access 66.243.84.173 on sql instead of allowing any. I am assuming you have clients inside Pix A whom are nat'ing to outside interface of pix.

102
Views
0
Helpful
1
Replies
CreatePlease to create content