https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173098#M604406 <HTML><HEAD></HEAD><BODY><P>Hi Ziggy -</P><P></P><P>You'll require a static tanslation and a ACL, i.e.</P><P></P><P>Create a static translation:</P><P></P><P>&gt; static (inside,outside) tcp <YOUR outside="" ip="" addrs=""> 1433 <YOUR private="" ip="" addrs=""> 1433 netmask 255.255.255.255 0 0</YOUR></YOUR></P><P></P><P>Now create a ACL for the outside interface i.e.</P><P></P><P>&gt; access-list <ACL_NAME_OUTSIDE> permit tcp host <YOUR public="" sorce="" addrs=""> host <YOUR outside="" pix="" ip="" addrs=""> eq 1433</YOUR></YOUR></ACL_NAME_OUTSIDE></P><P></P><P>Hope this helps --</P></BODY></HTML> Wed, 18 Jun 2003 13:38:29 GMT jmia 2003-06-18T13:38:29Z https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173097#M604404 <P>I have a pix 525 ver 6.2(2)</P><P>I need to allow a specific ip address in on port 1433 for MSSQL within our Private Network Via Nat.</P><P>I have tested with just the Public Ip and It works Just fine.</P><P>When I nat the Public to Private address It does not work.</P><P>Can Someone give me a correct command to allow this to take place.</P><P>Public Ip Example 172.16.2.1 to Private 10.1.2.2 and allow Port 1433 only.</P><P></P><P>Thanks in Advance</P><P></P><P>Ziggy Czaja</P> Fri, 21 Feb 2020 06:48:37 GMT https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173097#M604404 zczaja 2020-02-21T06:48:37Z https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173098#M604406 <HTML><HEAD></HEAD><BODY><P>Hi Ziggy -</P><P></P><P>You'll require a static tanslation and a ACL, i.e.</P><P></P><P>Create a static translation:</P><P></P><P>&gt; static (inside,outside) tcp <YOUR outside="" ip="" addrs=""> 1433 <YOUR private="" ip="" addrs=""> 1433 netmask 255.255.255.255 0 0</YOUR></YOUR></P><P></P><P>Now create a ACL for the outside interface i.e.</P><P></P><P>&gt; access-list <ACL_NAME_OUTSIDE> permit tcp host <YOUR public="" sorce="" addrs=""> host <YOUR outside="" pix="" ip="" addrs=""> eq 1433</YOUR></YOUR></ACL_NAME_OUTSIDE></P><P></P><P>Hope this helps --</P></BODY></HTML> Wed, 18 Jun 2003 13:38:29 GMT https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173098#M604406 jmia 2003-06-18T13:38:29Z https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173099#M604408 <HTML><HEAD></HEAD><BODY><P>sorry Ziggy forgot to mention, pls do clear xlate with cmd: clear xlate on config mode and write to memory with cmd: write memory.</P><P></P><P>Hope this helps --</P></BODY></HTML> Wed, 18 Jun 2003 13:52:02 GMT https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173099#M604408 jmia 2003-06-18T13:52:02Z https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173100#M604409 <HTML><HEAD></HEAD><BODY><P>Jmia, thanks for responding.</P><P>I created the static inside,outside tcp outside ip address 1433 inside ip address 1433 netmask 255.255.255.25 0 0</P><P>The Nat translation is OK.</P><P>The ACL = access-list name permit tcp host public ip address(host that is tring to reach us) host outside pix address eq 1433.</P><P></P><P>did clear xslate.</P><P>We can see the traffic trying to come trrough but it is being denied by the access-list . error ID 106023.</P><P>What permissions am I missing</P></BODY></HTML> Wed, 18 Jun 2003 19:23:22 GMT https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173100#M604409 zczaja 2003-06-18T19:23:22Z https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173101#M604411 <HTML><HEAD></HEAD><BODY><P>Hi Ziggy -</P><P></P><P>Okay, the config seems to be ok, can you please post your pix config here or if you like e-mail me with it (but pls. remember to exclude your real IP's and passwords), also check the following link to see if can identify the erro ID (sorry just have no time to look it up for you).</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a00800891ec.html" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a00800891ec.html</A></P><P></P><P>Also, a quick thought - on the ACL instead of the outside pix addrs try inside addrs i.e.</P><P></P><P>&gt; access-list <NAME> permit tcp host <SOURCE ip="" addrs=""> host <INSIDE ip="" interface="" addrs="" of="" pix=""> eq 1433</INSIDE></SOURCE></NAME></P><P></P><P>*Make sure when you change the ACL you include the ACL group cmd, i.e. &gt; access-group inside in interface inside, before you past back into the pix and also use the 'no access-list inside' as the first line on the modified ACL.</P><P></P><P>Let me know how you get on.</P><P></P><P>Hope this helps --</P></BODY></HTML> Thu, 19 Jun 2003 13:24:26 GMT https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173101#M604411 jmia 2003-06-19T13:24:26Z https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173102#M604413 <HTML><HEAD></HEAD><BODY><P>Hi Ziggy,</P><P></P><P>Here's the explanation fro your error msg:</P><P></P><P>%PIX-4-106023: Deny protocol src [inbound-interface]:[src_address / src_port] dst outbound-interface:dst_address / dst_port [type {type}, code {code}] by access_group access-list-name </P><P></P><P>Explanation An IP packet was denied by the access-list. </P><P></P><P>Action Change permission of access-list if a permit policy is desired. If messages persist from the same source address, messages could indicate a foot printing or port scanning attempt. Contact the remote host administrator. </P><P></P><P>Hope this helps and let me know how get on --</P></BODY></HTML> Thu, 19 Jun 2003 14:38:04 GMT https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173102#M604413 jmia 2003-06-19T14:38:04Z https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173103#M604415 <HTML><HEAD></HEAD><BODY><P>Hello again Ziggy --</P><P></P><P>Another thought on your problem, </P><P></P><P>1. Have you tried debuging on the source IP address ?</P><P></P><P>&gt; debug packet outside <SOURCE ip="" address=""></SOURCE></P><P>&gt; to stop debuging do &gt; no debug packet outside</P><P></P><P>**Pls. be aware not to do this on production pix as it may overload the pix ***</P><P></P><P>2. access-list <NAME> permit tcp host <YOUR source="" ip="" addrs=""> host <YOUR pix="" outside="" interface="" ip="" addrs=""> eq 1433</YOUR></YOUR></NAME></P><P></P><P>&gt; static (inside,outside) tcp host <YOUR pix="" outside="" interface="" ip="" addrs=""> 1433 <YOUR inside="" pc=""> 1433 netmask 255.255.255.255 0 0</YOUR></YOUR></P><P></P><P>&gt; do 'wr m' (write memory) to save config and do 'clear xlate'</P><P></P><P>3. Make sure you have a static ip route on your inside router for your source IP addrs. i.e. &gt; (in config mode on router) ip route <YOUR source="" ip="" addrs=""> <MASK> <YOUR pix="" inside="" ip="" addrs=""></YOUR></MASK></YOUR></P><P></P><P>&gt; save the config on router with 'wr m' (write memory) also do the same for the pix as well.</P><P></P><P>Hope this helps --</P></BODY></HTML> Thu, 19 Jun 2003 15:13:02 GMT https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173103#M604415 jmia 2003-06-19T15:13:02Z https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173104#M604417 <HTML><HEAD></HEAD><BODY><P>email on its way thank you</P></BODY></HTML> Thu, 19 Jun 2003 16:52:10 GMT https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173104#M604417 zczaja 2003-06-19T16:52:10Z https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173105#M604419 <HTML><HEAD></HEAD><BODY><P>Got it.</P><P></P><P>Thank you for all your help and effort I appreciated.</P><P></P></BODY></HTML> Thu, 19 Jun 2003 18:51:08 GMT https://community.cisco.com/t5/network-security/pix-firewall-access-to-sql-server/m-p/173105#M604419 zczaja 2003-06-19T18:51:08Z