06-06-2012 04:41 AM - edited 03-11-2019 04:15 PM
Hello All.
I need to allow traffic between webserver in dmz and mssql (Microsoft SQL Server 2008).
MSSQL use dynamic port (now it is 63796) and this cannot be changed.
Basically, I can allow such traffic using next configuration:
access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 1433
access-list dmz extended permit udp host 1.2.3.4 host 5.6.7.8 eq 1434
access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 63796
But, I would like to add mssql inspection and I did the next:
class-map class_sqlnet
match port tcp eq 1433
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class_sqlnet
inspect sqlnet
service-policy global_policy global
no access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 1433
no access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 63796
access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq sqlnet
However, sh access-list shows no counts at "sqlnet" rule.
access-list dmz_in line 1 extended permit tcp host 1.2.3.4 host 5.6.7.8 eq sqlnet (hitcnt=0) 0x1364a5d3
access-list dmz_in line 2 extended permit udp host 1.2.3.4 host 5.6.7.8 eq 1434 (hitcnt=47) 0x92c5bdac
So, where is a mistake, and how can i make dynamic port working using sqlnet inspection?
Kind Regards,
Alex.
06-06-2012 07:19 AM
sqlnet port on the ASA is 1521, not 1433.
Therefore, your original access-list is correct:
access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 1433
plus the class map that you have already configured.
11-03-2017 10:01 AM - edited 11-03-2017 10:29 AM
..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide