Cisco pix sql issues.. port 1434

mkmead · ‎04-18-2005

I have a inside access-list setup with a deny all at the end..

I have a server on the inside of the firewall that needs to speak to the sql server in our dmz network.

Here is the access-lists I have in place..

access-list 150 permit tcp host 10.xxx.xxx.184 host 10.dmz.xxx.104 eq 1433

access-list 150 permit udp host 10.xxx.xxx.184 host 10.dmz.xxx.104 eq 1434

access-list 150 permit udp host 10.xxx.xxx.127 host 10.dmz.xxx.104 eq 1434

access-list 150 permit udp host 10.xxx.xxx.126 host 10.dmz.xxx.104 eq 1434

access-list 150 deny ip any any

access-group 150 in int inside

when I watch the firewall logs I see:

106023: Deny udp src inside:10.xxx.xxx.127/1434 dst DMZ-Extranet:10.dmz.xxx.104/1158 by access-group "150"

106023: Deny udp src inside:10.xxx.xxx.127/1434 dst DMZ-Extranet:10.dmz.xxx.104/1157 by access-group "150"

from what I can read up the client is trying to speak to the sql server on port udp 1434 but it is using a random port number for its source address.. I can seem to find a way to force the pix to handle this other than do the generic ip any pix command.. but I would like to try to not do that and pin it down a bit better.

sachinraja · ‎04-18-2005

Hi Mkmead

which is the sql server here ?? if the sql server is in the DMZ, why is the source port for 10.x.x.x 1434 ?? try to put a sniffer and see which port is the 10.x server trying to access when going to the DMZ...

Raj

mkmead · ‎04-18-2005

sql is in the inside network

the application server is in the dmz.

on the dmz side of things..

access-list 160 permit tcp host 10.dmz.xxx.104 host 10.xxx.xxx.184 eq 1433

access-list 160 permit udp host 10.dmz.xxx.104 host 10.xxx.xxx.184 eq 1434

access-group 160 in interface DMZ-Extranet

I have 1434 open on the inside because when I turn on logging my denies are showing up on the 150 access-list.