topic Allow SQL traffic from dmz host to internal SQL server in Network Security

Allow SQL traffic from dmz host to internal SQL server

djames — Mon, 11 Mar 2019 09:01:39 GMT

I have a webserver(192.168.10.2) on a DMZ network off of a ASA 5510 7.1(2). It needs to communicate with a MSSQL server(10.10.4.48) on the internal network. What ports, if any, other than tcp 1433 do I need to allow this to happen? I have tried tcp1433 both ways and the webserver is still not able to access the SQL database on the internal network

Re: Allow SQL traffic from dmz host to internal SQL server

t-heeter — Tue, 28 Nov 2006 15:17:44 GMT

Is there any communication at all?

You may be missing a static (inside,DMZ) statement.

Re: Allow SQL traffic from dmz host to internal SQL server

m.sir — Tue, 28 Nov 2006 15:22:53 GMT

for PIX low security to high security traffic , it must meet two requirement:

1. acl permitted static command configured

2. static command configured

It seems you have already permited communication with ACL

You need following static command its so called identity NAT

static (inside,dmz) 10.10.4.48 10.10.4.48 netmask 255.255.255.255

Hope that helps rate if it does

Re: Allow SQL traffic from dmz host to internal SQL server

djames — Tue, 28 Nov 2006 15:34:36 GMT

I already have the static map configured. My internal subnetmask is a /23 and my dmz is a /24. My static map is:

static (Inside,DMZ) 10.10.4.0 10.10.4.0 netmask 255.255.254.0.

I have an ACL access-list INSIDE extended permit tcp host 192.168.10.2 host 10.10.4.48 eq 1433. Is there something I am missing. For testing purposes I would like to be able to 'ping' 10.10.4.48 from 192.168.10.2 as well.

Re: Allow SQL traffic from dmz host to internal SQL server

t-heeter — Tue, 28 Nov 2006 18:31:50 GMT

Is access-list INSIDE applied to DMZ interface?

access-group INSIDE in interface DMZ