04-18-2005 08:37 AM - edited 02-21-2020 12:05 AM
I have a inside access-list setup with a deny all at the end..
I have a server on the inside of the firewall that needs to speak to the sql server in our dmz network.
Here is the access-lists I have in place..
access-list 150 permit tcp host 10.xxx.xxx.184 host 10.dmz.xxx.104 eq 1433
access-list 150 permit udp host 10.xxx.xxx.184 host 10.dmz.xxx.104 eq 1434
access-list 150 permit udp host 10.xxx.xxx.127 host 10.dmz.xxx.104 eq 1434
access-list 150 permit udp host 10.xxx.xxx.126 host 10.dmz.xxx.104 eq 1434
access-list 150 deny ip any any
access-group 150 in int inside
when I watch the firewall logs I see:
106023: Deny udp src inside:10.xxx.xxx.127/1434 dst DMZ-Extranet:10.dmz.xxx.104/1158 by access-group "150"
106023: Deny udp src inside:10.xxx.xxx.127/1434 dst DMZ-Extranet:10.dmz.xxx.104/1157 by access-group "150"
from what I can read up the client is trying to speak to the sql server on port udp 1434 but it is using a random port number for its source address.. I can seem to find a way to force the pix to handle this other than do the generic ip any pix command.. but I would like to try to not do that and pin it down a bit better.
04-18-2005 08:49 AM
Hi Mkmead
which is the sql server here ?? if the sql server is in the DMZ, why is the source port for 10.x.x.x 1434 ?? try to put a sniffer and see which port is the 10.x server trying to access when going to the DMZ...
Raj
04-18-2005 09:01 AM
sql is in the inside network
the application server is in the dmz.
on the dmz side of things..
access-list 160 permit tcp host 10.dmz.xxx.104 host 10.xxx.xxx.184 eq 1433
access-list 160 permit udp host 10.dmz.xxx.104 host 10.xxx.xxx.184 eq 1434
access-group 160 in interface DMZ-Extranet
I have 1434 open on the inside because when I turn on logging my denies are showing up on the 150 access-list.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide