https://community.cisco.com/t5/network-security/asa-5510-sql-ports/m-p/2893465#M167617 <P>Hello,</P> <P></P> <P>My company is currently running a Cisco ASA 5510. &nbsp;We have been told by our 3rd party point of sale vendor that they are having issues syncing their database and server because they need TCP port 1433 &amp; UDP port 1434 opened on the firewall. &nbsp;I have been staring at this for a few days now - I have attempted to create Access Rules to open those ports but it doesn't seem to change anything. &nbsp;I apologize in advance, as I am a novice with these firewalls.</P> <P></P> <P>The server and machines attempting to sync up are all on the same domain, so I thought my access rules should be "Inside". &nbsp;I have tried multiple variations of setups, including having incoming and outgoing rules and using "any" for both IP Addresses and ports. &nbsp;I have reloaded the device after each change to make sure it was current, but nothing seems to fix the issue. &nbsp;I understand the device is old and outdated, but they can't afford to upgrade anytime soon.</P> <P></P> <P>Any help would be greatly appreciated.</P> Tue, 12 Mar 2019 07:27:25 GMT j_patykow 2019-03-12T07:27:25Z https://community.cisco.com/t5/network-security/asa-5510-sql-ports/m-p/2893465#M167617 <P>Hello,</P> <P></P> <P>My company is currently running a Cisco ASA 5510. &nbsp;We have been told by our 3rd party point of sale vendor that they are having issues syncing their database and server because they need TCP port 1433 &amp; UDP port 1434 opened on the firewall. &nbsp;I have been staring at this for a few days now - I have attempted to create Access Rules to open those ports but it doesn't seem to change anything. &nbsp;I apologize in advance, as I am a novice with these firewalls.</P> <P></P> <P>The server and machines attempting to sync up are all on the same domain, so I thought my access rules should be "Inside". &nbsp;I have tried multiple variations of setups, including having incoming and outgoing rules and using "any" for both IP Addresses and ports. &nbsp;I have reloaded the device after each change to make sure it was current, but nothing seems to fix the issue. &nbsp;I understand the device is old and outdated, but they can't afford to upgrade anytime soon.</P> <P></P> <P>Any help would be greatly appreciated.</P> Tue, 12 Mar 2019 07:27:25 GMT https://community.cisco.com/t5/network-security/asa-5510-sql-ports/m-p/2893465#M167617 j_patykow 2019-03-12T07:27:25Z https://community.cisco.com/t5/network-security/asa-5510-sql-ports/m-p/2893466#M167620 <P>Hi,</P> <P></P> <P>Since you have allowed <G class="gr_ gr_63 gr-alert gr_spell undefined ContextualSpelling only-del replaceWithoutSep" id="63" data-gr-id="63">any any</G> it should have worked.</P> <P></P> <P>Before we move ahead I would request you to test with this config:</P> <P></P> <P>The SQL server is listening on UDP/TCP port <G class="gr_ gr_125 gr-alert gr_gramm undefined Punctuation multiReplace" id="125" data-gr-id="125">1434 ,</G> so the client will initiate a connection from a random port above 1025.<BR />So you need to have an ACL to allow the access from Any with random UDP/TCP port going to SQL server on port 1434, so you need to have the command <BR />" range 1 <G class="gr_ gr_130 gr-alert gr_gramm undefined Punctuation multiReplace" id="130" data-gr-id="130">65353 " ,</G> and for the returning traffic you need to have an ACL from source port 1434 going to the random destination port.<BR />Since you are accessing the Server from outside to <G class="gr_ gr_129 gr-alert gr_gramm undefined Punctuation multiReplace" id="129" data-gr-id="129">inside ,</G> then you need to open the Access on the outside for the incoming traffic<BR />So if you try and remove the ACL that <G class="gr_ gr_127 gr-alert gr_gramm undefined Grammar multiReplace" id="127" data-gr-id="127">permit</G> the traffic from the SQL server on port 1434 going to the client on random <G class="gr_ gr_128 gr-alert gr_gramm undefined Punctuation replaceWithoutSep" id="128" data-gr-id="128">port ,then</G> it should <BR />be <G class="gr_ gr_126 gr-alert gr_gramm undefined Punctuation multiReplace" id="126" data-gr-id="126">fine .</G></P> <P>Please check the below <G class="gr_ gr_122 gr-alert gr_gramm undefined Punctuation multiReplace" id="122" data-gr-id="122">link :</G><BR />http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080862017.shtml#open</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P></P> <P>Please rate helpful posts.</P> Wed, 09 Mar 2016 03:41:23 GMT https://community.cisco.com/t5/network-security/asa-5510-sql-ports/m-p/2893466#M167620 Aditya Ganjoo 2016-03-09T03:41:23Z https://community.cisco.com/t5/network-security/asa-5510-sql-ports/m-p/2893467#M167623 <P>I'm sorry I should have been more clear earlier. &nbsp;These two machines are on the same domain, so I believe they are both using the "inside" interface. &nbsp;</P> <P>I just found some material on enabling u-turn / hairpinning since they are using the same interface.</P> <P>I enabled this option and received a different error:</P> <P>_______________________________________________________</P> <P><STRONG><SPAN style="text-decoration: underline;">Type - NAT &nbsp; &nbsp; Action - DROP</SPAN></STRONG></P> <P><STRONG>Config</STRONG></P> <P><STRONG>nat (inside) 0 access-list inside_nat0_outbound</STRONG></P> <P><STRONG>nat (inside) 0 access-list inside_nat0_outbound_1 outside</STRONG></P> <P><STRONG>nat (inside) 1 0.0.0.0 0.0.0.0</STRONG></P> <P><STRONG>match ip inside any inside any</STRONG></P> <P><STRONG>dynamic translation to pool 1 (no matching global)</STRONG></P> <P><STRONG>translate_hits = 1, untranslate_hits = 0</STRONG></P> <P><SPAN>_______________________________________________________</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>I am very new to this, and am not knowledgeable about the commands. &nbsp;I am attempting to do all of this from the ASDM. &nbsp;</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>I am assuming I need to set something up in the NAT, but am not sure on how to go about this correctly. &nbsp;</SPAN></P> <P></P> <P>Also, is there a way to configure it so that it only allows the hairpinning from specific IP's, so it doesn't congest the ASA?</P> <P></P> <P>I am grateful for any help!</P> Wed, 09 Mar 2016 17:23:03 GMT https://community.cisco.com/t5/network-security/asa-5510-sql-ports/m-p/2893467#M167623 j_patykow 2016-03-09T17:23:03Z https://community.cisco.com/t5/network-security/asa-5510-sql-ports/m-p/2893468#M167626 <P>Hi,</P> <P></P> <P>No worries. You need to add two commands on the CLI:</P> <P></P> <P>same-security-traffic permit intra-interface</P> <P></P> <P>global (inside) 1 interface.</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P>Please rate helpful posts.</P> Wed, 09 Mar 2016 18:29:37 GMT https://community.cisco.com/t5/network-security/asa-5510-sql-ports/m-p/2893468#M167626 Aditya Ganjoo 2016-03-09T18:29:37Z https://community.cisco.com/t5/network-security/asa-5510-sql-ports/m-p/2893469#M167629 <P>Getting closer. &nbsp;But now I am seeing this:</P> <P>________________________________________________________</P> <P><STRONG><SPAN style="text-decoration: underline;">Type - NAT &nbsp; &nbsp; Subtype - rpf-check &nbsp; &nbsp; Action - DROP</SPAN></STRONG></P> <P></P> <P><STRONG>nat (inside) 0 access-list inside_nat0_outbound</STRONG></P> <P><STRONG>nat (inside) 0 access-list inside_nat0_outbound_1 outside</STRONG></P> <P><STRONG>nat (inside) 1 0.0.0.0 0.0.0.0</STRONG></P> <P><STRONG>match ip inside any inside any</STRONG></P> <P><STRONG>dynamic translation to pool 1 (10.1.2.2 [Interface PAT])</STRONG></P> <P><STRONG>translate_hits = 2, untranslate_hits = 0</STRONG></P> <P><SPAN>________________________________________________________</SPAN></P> <P></P> <P>And I see this in the ASDM Syslog:</P> <P></P> <P><STRONG>No translation group found for tcp src inside: ......</STRONG></P> <P><STRONG></STRONG></P> <P>Thanks in advance!</P> Wed, 09 Mar 2016 20:18:23 GMT https://community.cisco.com/t5/network-security/asa-5510-sql-ports/m-p/2893469#M167629 j_patykow 2016-03-09T20:18:23Z