Hi Edward,

Thanks for your reply.

let me expain the scenario. I will like to allow 10.132.23.0/24, 10.132.33.0, 10.136.66.0/24 coming on DMZ interface 10.132.26.1/24 to the inside interface, to access our Microsoft SQL server 192.168.1.7 255.255.255.255. I would like to protect the rest of the internl network from access. Also is there a way to allow access to the Microsoft Sql Server port:1433.

I would like to ping the Sql Server from the DMZ interface also. Is this possible.

Thanks,

Terence

Hi Terrence...

As I said this is possible. You most likely want to use NAT Exemption or even a Static to allow the networks to talk to each other. I assume the DMZ is a lower security than the inside interface.

The easiest way to configure access is using a static like the following:

static (inside,DMZ) 192.168.1.7 192.168.1.7 netmask 255.255.255.255

The above static would allow all resources on the DMZ to access the inside 192.168.1.7 server. To further restrict what can access the 192.168.1.7, you than use the access-list on the DMZ interface to allow and/or restrict access to the SQL server.

As I said, you can also use NAT exemption to allow the communication as well.  Nat exemption give you more flexibility to identify networks that can access the 192.168.1.7, however you would still require use of the access-list to allow or block traffic.

Nat exemption configuration:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html#wp1080803

Hi Edward,

Many thanks for your reply.

I have applied the static (inside,DMZ) 192.168.1.7 192.168.1.7 netmask 255.255.255.255 as stated below. but still no go. I've attched my config and also packet tracer test.

Thanks,

Terrence

Hi Terrence...

Looks like you forgot to apply a access-list for the DMZ. Access-lists are required for all interfaces with the expection of the hishest security interface. Apply an access-list for the DMZ networks to the SQL server and let me know how it goes.

Hi Terrence,

You might have to add this ACL:

access-list dmz_access_in extended permit tcp 10.132.0.0 255.255.0.0 SQLDB

access-group dmz_access_in in interface DMZ

You are missing this.

Thanks,

Varun

Hi Varun,

Thanks for your reply.

I've added the access-list as suggested. But still no go.

Am i doing something wrong. Am not able to ping 192.168.1.7.

Thanks,

Terence

Hi Varun,

It works now thanks.

But instead of using static, I would like to use Natting. So network from 10.132.0.0 from the DMZ access the 10.132.26.1 interface and translate it to our internal LAN.

Thanks,

Terence

Hi Varun,

Thanks for your reply.

So let's say i want to access my database server 192.168.1.7 from 10.132.0.0/16.

I want to be able to access the server from 10.132.26.1. So users on the remote network will use 10.132.26.1 to access the database.

This is what i want to acheive.

Thanks,

Terence

Hi Edward,

Thank. It works.

Terence