Hello All.
I need to allow traffic between webserver in dmz and mssql (Microsoft SQL Server 2008).
MSSQL use dynamic port (now it is 63796) and this cannot be changed.

Basically,  I can allow such traffic using next configuration:
access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 1433
access-list dmz extended permit udp host 1.2.3.4 host 5.6.7.8 eq 1434
access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 63796

But, I would like to add mssql inspection and I did the next:

class-map class_sqlnet
match port tcp eq 1433
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
class class_sqlnet
  inspect sqlnet
service-policy global_policy global

no access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 1433
no access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 63796
access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq sqlnet

However, sh access-list shows no counts at "sqlnet" rule.

access-list dmz_in line 1 extended permit tcp host 1.2.3.4 host 5.6.7.8 eq sqlnet (hitcnt=0) 0x1364a5d3
access-list dmz_in line 2 extended permit udp host 1.2.3.4 host 5.6.7.8 eq 1434 (hitcnt=47) 0x92c5bdac

So, where is a mistake, and how can i make dynamic port working using sqlnet inspection?

Kind Regards,

Alex.