02-01-2019 05:12 AM - edited 02-21-2020 08:44 AM
Hi,
I am having proglem to get work from outside network to inside network. I have made nat rules etc already and giving permissson, tried use tcp and udp ports. Inside network everything is working. I have tried 1433 and 3838 ports both are working inside. What I have done is used that single port 3838 with tcp and udp on only tcp.
Is somebody have done this. If you would give help or correct command to no it right and getting work.
Config would bee 192.168.13.100 is SQL server, and port 1433 and 3838 are in sql configuration in use are working inside network.
public address xx.xx.xx.42.
Firewall is ASA
I would need to get this work asap.
Hopefully somebody can help about.
02-01-2019 06:09 AM
Without seeing your configuration we can not tell you what is wrong with it. Your NAT and access-list rules might be correct but there is another NAT rule which is being hit. But here is an example of how it would be done.
object network REAL-IP
host 10.10.10.10
object network NAT-IP
host 20.20.20.10
nat (inside,outside) source static REAL-IP NAT-IP service tcp 1433 1433
access-list outside-in extended permit tcp any host 10.10.10.10 eq 1433
access-group in interface outside
02-10-2019 03:49 AM - edited 02-10-2019 03:51 AM
Hi, I got fallowing error message in attached files
I checked running config:
ASA Version 9.5(1)
access-list WAN-in extended permit tcp any host (inside ip) eq 1433
access-list outside-in extended permit tcp any host (inside ip) eq 1433
access-list wan-in extended permit tcp any host (inside ip) eq 1433
How I can delete these access list from config?
object network CSI-LAN host (inside ip)
object network CSI-WAN host (public ip)
interface GigabitEthernet0/0 nameif WAN
interface GigabitEthernet0/1 nameif LAN
This kind existing, should access list be this kind?
access-list WAN_access_in extended permit tcp any object SECUREMAIL eq https
02-10-2019 09:21 AM
To remove access list entries from the configuration in ASDM, just find the rule, select the rule and click delete at the top of the ASDM page (or just right click the rule and select delete.)
The access-group command failed because I forgot to include the name of the ACL in the command. But if you already have an access-list in place then you do not need this command. You would just need to amend the access-list entry so it references the correct access-list.
The NAT statement failed as there is a syntax error in it. You need to create a service object and refere to that for the service. But it is better to do this through ASDM if you are not very comfortable with CLI.
02-12-2019 01:38 AM
Hi,
Would somebody be kind and send command to get this work.
Now i will tried with new ASA, to get this work.
ASA Inside: 192.168.1.1
ASA Outside: 84.50.160.82 (not real address).
SQL Server: 192.168.1.106 (gw 192.168.1.1)
SQL port 1433
SQL Client would be connection to 84.50.160.82.
02-12-2019 02:01 AM
02-12-2019 11:19 AM
remove this NAT statement first:
object network obj_any
no nat (any,outside) dynamic interface
Then configure this (remember to replace IPs with real IPs, you can also change the object names if you like):
object network SQL_SERVER
host 192.168.1.10
object network SQL_PUBLIC
host 1.2.3.4
object service TCP_SQL
service tcp source eq 1433
nat (inside,outside) source static SQL_SERVER SQL_PUBLIC service TCP_SQL
access-list outside_access_in extended permit tcp any host 192.168.1.10 eq 1433
access-group outside_access_in in interface outside
02-12-2019 11:39 AM
02-12-2019 12:13 PM
Then in the above configuration just replace SQL_PUBLIC with the keyword interface and replace the IP address in the SQL_SERVER objcet to the required IP.
02-12-2019 02:08 PM
02-12-2019 10:55 PM
Just an explanation on removing the dynamic NAT. You have two dynamic NAT on in Auto NAT and the other in after-auto. so for keeping the configuration tidy I suggest removing the dynamic NAT in the Auto NAT section.
Other than that, yes, this configuration looks correct.
02-13-2019 12:22 AM
02-13-2019 04:03 AM
Just an FYI you can use the "?" (without quotes) in CLI to see what is missing at the end of the command.
You might need to add andother TCP_SQL at the end.
nat (inside,outside) source static SQL_SERVER interface service TCP_SQL TCP_SQL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide