topic Re: SQL server access from DMZ interface ASA 5505 in Network Security

SQL server access from DMZ interface ASA 5505

terrencepayet — Mon, 11 Mar 2019 20:39:01 GMT

Hi Guys,

I would like to allow users from network 10.132.23.0/24, 10.132.33.0/24, 10.132.24.0/24 access to our SQL server(192.168.1.7) located on the inside interface(192.168.1.0/24 network)

Those networks (10.132.0.0/16) come from the DMZ interface.

Can this be done?

Thanks,

Terence

Re: SQL server access from DMZ interface ASA 5505

Edward Dutra — Thu, 26 May 2011 23:48:08 GMT

Yes it can. Were you interested in natting any of the traffic? If not, just use NAT Exemption to allow the traffic through.

Re: SQL server access from DMZ interface ASA 5505

terrencepayet — Fri, 27 May 2011 03:12:13 GMT

Hi Edward,

Thanks for your reply.

let me expain the scenario. I will like to allow 10.132.23.0/24, 10.132.33.0, 10.136.66.0/24 coming on DMZ interface 10.132.26.1/24 to the inside interface, to access our Microsoft SQL server 192.168.1.7 255.255.255.255. I would like to protect the rest of the internl network from access. Also is there a way to allow access to the Microsoft Sql Server port:1433.

I would like to ping the Sql Server from the DMZ interface also. Is this possible.

Thanks,

Terence

Re: SQL server access from DMZ interface ASA 5505

Edward Dutra — Fri, 27 May 2011 05:03:11 GMT

Hi Terrence...

As I said this is possible. You most likely want to use NAT Exemption or even a Static to allow the networks to talk to each other. I assume the DMZ is a lower security than the inside interface.

The easiest way to configure access is using a static like the following:

static (inside,DMZ) 192.168.1.7 192.168.1.7 netmask 255.255.255.255

The above static would allow all resources on the DMZ to access the inside 192.168.1.7 server. To further restrict what can access the 192.168.1.7, you than use the access-list on the DMZ interface to allow and/or restrict access to the SQL server.

As I said, you can also use NAT exemption to allow the communication as well. Nat exemption give you more flexibility to identify networks that can access the 192.168.1.7, however you would still require use of the access-list to allow or block traffic.

Nat exemption configuration:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html#wp1080803

Re: SQL server access from DMZ interface ASA 5505

terrencepayet — Fri, 27 May 2011 06:36:23 GMT

Hi Edward,

Many thanks for your reply.

I have applied the static (inside,DMZ) 192.168.1.7 192.168.1.7 netmask 255.255.255.255 as stated below. but still no go. I've attched my config and also packet tracer test.

Thanks,

Terrence

Re: SQL server access from DMZ interface ASA 5505

Edward Dutra — Fri, 27 May 2011 06:45:47 GMT

Hi Terrence...

Looks like you forgot to apply a access-list for the DMZ. Access-lists are required for all interfaces with the expection of the hishest security interface. Apply an access-list for the DMZ networks to the SQL server and let me know how it goes.

Re: SQL server access from DMZ interface ASA 5505

varrao — Fri, 27 May 2011 06:49:01 GMT

Hi Terrence,

You might have to add this ACL:

access-list dmz_access_in extended permit tcp 10.132.0.0 255.255.0.0 SQLDB

access-group dmz_access_in in interface DMZ

You are missing this.

Thanks,

Varun

Re: SQL server access from DMZ interface ASA 5505

terrencepayet — Fri, 27 May 2011 07:17:46 GMT

Hi Varun,

Thanks for your reply.

I've added the access-list as suggested. But still no go.

Am i doing something wrong. Am not able to ping 192.168.1.7.

Thanks,

Terence

Re: SQL server access from DMZ interface ASA 5505

terrencepayet — Fri, 27 May 2011 07:44:23 GMT

Hi Varun,

It works now thanks.

But instead of using static, I would like to use Natting. So network from 10.132.0.0 from the DMZ access the 10.132.26.1 interface and translate it to our internal LAN.

Thanks,

Terence

Re: SQL server access from DMZ interface ASA 5505

varrao — Fri, 27 May 2011 07:47:46 GMT

HI Terrence,

You would need the static as well, but if you want to nat the dmz users to inside interface, then you can add:

nat (dmz) 2 10.32.0.0 255.255.0.0

global (inside) 2 interface.

Thanks,

Varun

Re: SQL server access from DMZ interface ASA 5505

terrencepayet — Fri, 27 May 2011 07:59:59 GMT

Hi Varun,

Thanks for your reply.

So let's say i want to access my database server 192.168.1.7 from 10.132.0.0/16.

I want to be able to access the server from 10.132.26.1. So users on the remote network will use 10.132.26.1 to access the database.

This is what i want to acheive.

Thanks,

Terence

Re: SQL server access from DMZ interface ASA 5505

Edward Dutra — Fri, 27 May 2011 20:45:09 GMT

Hi Terrence..

Than you would just change the static I provided you earlier:

static (inside,DMZ) 10.132.26.1 192.168.1.7 netmask 255.255.255.255

The above static will allow hosts on the DMZ to access the 192.168.1.7 server using the mapped IP address of 10.132.26.1. Keep in mind you alos have to change your access-list on the DMZ to allow connections to 10.132.26.1

Re: SQL server access from DMZ interface ASA 5505

terrencepayet — Sat, 28 May 2011 09:27:00 GMT

Hi Edward,

Thank. It works.

Terence