05-26-2011 11:54 AM - edited 03-11-2019 01:39 PM
Hi Guys,
I would like to allow users from network 10.132.23.0/24, 10.132.33.0/24, 10.132.24.0/24 access to our SQL server(192.168.1.7) located on the inside interface(192.168.1.0/24 network)
Those networks (10.132.0.0/16) come from the DMZ interface.
Can this be done?
Thanks,
Terence
Solved! Go to Solution.
05-27-2011 12:47 AM
HI Terrence,
You would need the static as well, but if you want to nat the dmz users to inside interface, then you can add:
nat (dmz) 2 10.32.0.0 255.255.0.0
global (inside) 2 interface.
Thanks,
Varun
05-27-2011 01:45 PM
Hi Terrence..
Than you would just change the static I provided you earlier:
static (inside,DMZ) 10.132.26.1 192.168.1.7 netmask 255.255.255.255
The above static will allow hosts on the DMZ to access the 192.168.1.7 server using the mapped IP address of 10.132.26.1. Keep in mind you alos have to change your access-list on the DMZ to allow connections to 10.132.26.1
05-26-2011 04:48 PM
Yes it can. Were you interested in natting any of the traffic? If not, just use NAT Exemption to allow the traffic through.
05-26-2011 08:12 PM
Hi Edward,
Thanks for your reply.
let me expain the scenario. I will like to allow 10.132.23.0/24, 10.132.33.0, 10.136.66.0/24 coming on DMZ interface 10.132.26.1/24 to the inside interface, to access our Microsoft SQL server 192.168.1.7 255.255.255.255. I would like to protect the rest of the internl network from access. Also is there a way to allow access to the Microsoft Sql Server port:1433.
I would like to ping the Sql Server from the DMZ interface also. Is this possible.
Thanks,
Terence
05-26-2011 10:03 PM
Hi Terrence...
As I said this is possible. You most likely want to use NAT Exemption or even a Static to allow the networks to talk to each other. I assume the DMZ is a lower security than the inside interface.
The easiest way to configure access is using a static like the following:
static (inside,DMZ) 192.168.1.7 192.168.1.7 netmask 255.255.255.255
The above static would allow all resources on the DMZ to access the inside 192.168.1.7 server. To further restrict what can access the 192.168.1.7, you than use the access-list on the DMZ interface to allow and/or restrict access to the SQL server.
As I said, you can also use NAT exemption to allow the communication as well. Nat exemption give you more flexibility to identify networks that can access the 192.168.1.7, however you would still require use of the access-list to allow or block traffic.
Nat exemption configuration:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html#wp1080803
05-26-2011 11:36 PM
05-26-2011 11:45 PM
Hi Terrence...
Looks like you forgot to apply a access-list for the DMZ. Access-lists are required for all interfaces with the expection of the hishest security interface. Apply an access-list for the DMZ networks to the SQL server and let me know how it goes.
05-26-2011 11:49 PM
Hi Terrence,
You might have to add this ACL:
access-list dmz_access_in extended permit tcp 10.132.0.0 255.255.0.0 SQLDB
access-group dmz_access_in in interface DMZ
You are missing this.
Thanks,
Varun
05-27-2011 12:17 AM
Hi Varun,
Thanks for your reply.
I've added the access-list as suggested. But still no go.
Am i doing something wrong. Am not able to ping 192.168.1.7.
Thanks,
Terence
05-27-2011 12:44 AM
Hi Varun,
It works now thanks.
But instead of using static, I would like to use Natting. So network from 10.132.0.0 from the DMZ access the 10.132.26.1 interface and translate it to our internal LAN.
Thanks,
Terence
05-27-2011 12:47 AM
HI Terrence,
You would need the static as well, but if you want to nat the dmz users to inside interface, then you can add:
nat (dmz) 2 10.32.0.0 255.255.0.0
global (inside) 2 interface.
Thanks,
Varun
05-27-2011 12:59 AM
Hi Varun,
Thanks for your reply.
So let's say i want to access my database server 192.168.1.7 from 10.132.0.0/16.
I want to be able to access the server from 10.132.26.1. So users on the remote network will use 10.132.26.1 to access the database.
This is what i want to acheive.
Thanks,
Terence
05-27-2011 01:45 PM
Hi Terrence..
Than you would just change the static I provided you earlier:
static (inside,DMZ) 10.132.26.1 192.168.1.7 netmask 255.255.255.255
The above static will allow hosts on the DMZ to access the 192.168.1.7 server using the mapped IP address of 10.132.26.1. Keep in mind you alos have to change your access-list on the DMZ to allow connections to 10.132.26.1
05-28-2011 02:27 AM
Hi Edward,
Thank. It works.
Terence
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide