03-08-2016 08:58 AM - edited 03-12-2019 12:27 AM
Hello,
My company is currently running a Cisco ASA 5510. We have been told by our 3rd party point of sale vendor that they are having issues syncing their database and server because they need TCP port 1433 & UDP port 1434 opened on the firewall. I have been staring at this for a few days now - I have attempted to create Access Rules to open those ports but it doesn't seem to change anything. I apologize in advance, as I am a novice with these firewalls.
The server and machines attempting to sync up are all on the same domain, so I thought my access rules should be "Inside". I have tried multiple variations of setups, including having incoming and outgoing rules and using "any" for both IP Addresses and ports. I have reloaded the device after each change to make sure it was current, but nothing seems to fix the issue. I understand the device is old and outdated, but they can't afford to upgrade anytime soon.
Any help would be greatly appreciated.
03-08-2016 07:41 PM
Hi,
Since you have allowed
Before we move ahead I would request you to test with this config:
The SQL server is listening on UDP/TCP port
So you need to have an ACL to allow the access from Any with random UDP/TCP port going to SQL server on port 1434, so you need to have the command
" range 1
Since you are accessing the Server from outside to
So if you try and remove the ACL that
be
Please check the below
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080862017.shtml#open
Regards,
Aditya
Please rate helpful posts.
03-09-2016 09:23 AM
I'm sorry I should have been more clear earlier. These two machines are on the same domain, so I believe they are both using the "inside" interface.
I just found some material on enabling u-turn / hairpinning since they are using the same interface.
I enabled this option and received a different error:
_______________________________________________________
Type - NAT Action - DROP
Config
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (no matching global)
translate_hits = 1, untranslate_hits = 0
_______________________________________________________
I am very new to this, and am not knowledgeable about the commands. I am attempting to do all of this from the ASDM.
I am assuming I need to set something up in the NAT, but am not sure on how to go about this correctly.
Also, is there a way to configure it so that it only allows the hairpinning from specific IP's, so it doesn't congest the ASA?
I am grateful for any help!
03-09-2016 10:29 AM
Hi,
No worries. You need to add two commands on the CLI:
same-security-traffic permit intra-interface
global (inside) 1 interface.
Regards,
Aditya
Please rate helpful posts.
03-09-2016 12:18 PM
Getting closer. But now I am seeing this:
________________________________________________________
Type - NAT Subtype - rpf-check Action - DROP
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (10.1.2.2 [Interface PAT])
translate_hits = 2, untranslate_hits = 0
________________________________________________________
And I see this in the ASDM Syslog:
No translation group found for tcp src inside: ......
Thanks in advance!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide