Getting closer. But now I am

j_patykow · ‎03-08-2016

Hello,

My company is currently running a Cisco ASA 5510. We have been told by our 3rd party point of sale vendor that they are having issues syncing their database and server because they need TCP port 1433 & UDP port 1434 opened on the firewall. I have been staring at this for a few days now - I have attempted to create Access Rules to open those ports but it doesn't seem to change anything. I apologize in advance, as I am a novice with these firewalls.

The server and machines attempting to sync up are all on the same domain, so I thought my access rules should be "Inside". I have tried multiple variations of setups, including having incoming and outgoing rules and using "any" for both IP Addresses and ports. I have reloaded the device after each change to make sure it was current, but nothing seems to fix the issue. I understand the device is old and outdated, but they can't afford to upgrade anytime soon.

Any help would be greatly appreciated.

Aditya Ganjoo · ‎03-08-2016

Hi,

Since you have allowed any any it should have worked.

Before we move ahead I would request you to test with this config:

The SQL server is listening on UDP/TCP port 1434 , so the client will initiate a connection from a random port above 1025.
So you need to have an ACL to allow the access from Any with random UDP/TCP port going to SQL server on port 1434, so you need to have the command
" range 1 65353 " , and for the returning traffic you need to have an ACL from source port 1434 going to the random destination port.
Since you are accessing the Server from outside to inside , then you need to open the Access on the outside for the incoming traffic
So if you try and remove the ACL that permit the traffic from the SQL server on port 1434 going to the client on random port ,then it should
be fine .

Please check the below link :
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080862017.shtml#open

Regards,

Aditya

Please rate helpful posts.

j_patykow · ‎03-09-2016

I'm sorry I should have been more clear earlier. These two machines are on the same domain, so I believe they are both using the "inside" interface.

I just found some material on enabling u-turn / hairpinning since they are using the same interface.

I enabled this option and received a different error:

_______________________________________________________

Type - NAT Action - DROP

Config

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound_1 outside

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (no matching global)

translate_hits = 1, untranslate_hits = 0

_______________________________________________________

I am very new to this, and am not knowledgeable about the commands. I am attempting to do all of this from the ASDM.

I am assuming I need to set something up in the NAT, but am not sure on how to go about this correctly.

Also, is there a way to configure it so that it only allows the hairpinning from specific IP's, so it doesn't congest the ASA?

I am grateful for any help!

Aditya Ganjoo · ‎03-09-2016

Hi,

No worries. You need to add two commands on the CLI:

same-security-traffic permit intra-interface

global (inside) 1 interface.

Regards,

Aditya

Please rate helpful posts.

j_patykow · ‎03-09-2016

Getting closer. But now I am seeing this:

________________________________________________________

Type - NAT Subtype - rpf-check Action - DROP

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound_1 outside

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (10.1.2.2 [Interface PAT])

translate_hits = 2, untranslate_hits = 0

________________________________________________________

And I see this in the ASDM Syslog:

No translation group found for tcp src inside: ......

Thanks in advance!

ASA 5510 SQL Ports