ASA 5520 - Allowing Access to port 1433 from outside

mkatiwa · ‎04-26-2017

Hi guys,

Am trying to allow access from the internet to a web server in the DMZ hosting SQL server. I want to enable access through a public IP address. The application uses port 1433. I,ve set up the necessary ACL to allow any source IP and port to access the destination server.

Collin Clark · ‎04-26-2017

You're allowing everyone access to your SQL server? That's what we call an RGE. Require your partner/customer/whoever to VPN in.

mkatiwa · ‎04-27-2017

Yes. VPN is definitely a better solution but my customer is insisting on this. How should I go about this. These are the steps I've taken so far:

x.x.x.x - Server public IP

y.y.y.y - Server private IP

Outside Interface
Create ACL applied inbound on outside interface to allow packets with any source ip/port and destination x.x.x.x port 1433
Create static NAT on outside interface to translate destination IP x.x.x.x:1433 to y.y.y.y:1433
Create ACL applied outbound on outside interface to allow packets with any source ip/port and destination y.y.y.y port 1433

DMZ Interface
Create ACL applied inbound to DMZ interface to allow packets with any source ip/port and destination IP y.y.y.y port 1433

Routing
A route to forward IP packets with destination y.y.y.y to the DMZ interface

Collin Clark · ‎04-27-2017

I don't believe SQL uses 1433 as the source port. It should be using an ephemeral port. Also I don't think you need "Create ACL applied outbound on outside interface to allow packets with any source ip/port and destination y.y.y.y port 1433". If y.y.y.y is directly connected you also don't need the routing. Try changing your ACL to

access-list outside_in extended permit tcp any host y.y.y.y eq 1433

Then try a packet trace and see where it is failing.

packet-tracer input outside tcp 4.4.4.4 2383 x.x.x.x 1433 detail

mkatiwa · ‎04-29-2017

Here is the drop reason:

Drop-reason: (sp-security-failed) Slowpath security checks failed