Costum service traffic inspection

Antonio Simoes · ‎09-15-2013

Hi,

I need to do costum service traffic inspection to a SQL server inside interface communicate with the dmz interface server.

I need INSIDE useres access(http/https and other site in port 100) my web server(DMZ) which have a service that accesses the SQL server to autheticate in port tcp 1433 and the SQL server responde in a dynamic port.

How can I inspect this traffic do this maintaing the default inspection to the inside interface?

Kind Regards,

AS

Jouni Forss · ‎09-15-2013

Hi,

I am not quite sure I understand the question or what you would want the ASA to do.

The most typical situation related to SQL that people have related to ASA has been a problem with connection timeouts on the ASA. In those situations we have had to build a specific rule for SQL traffic to either make its timeout longer or configure a TCP Keepalive for it.

Again, I am not sure what you want the ASA do for you in this situation.

- Jouni

Antonio Simoes · ‎09-15-2013

HI Jouni,

In the DMZ I have a Webserver, and when a user want to make login into the page, the page makes a conection to the SQL server in the INSDE network.

Another important fact is, the webserver contact the SQL server from through the tcp 1433 and usp 1434, but the sql server awser in dynamic port.

So I nedd to insert permit that traffic from DMZ to inside network. But don´t know why the sql don´t awnser when I make ACL permiting traffic from DMZ to inside in the ports above indicated.

So I thinked in costum class map with service port. But I found litle/none documentation to do that. And I have other situations that need this procedure. Ex: Have in inside interface software with update in port 5577 none configurable.

So I need inspect a class map none default traffic.

Can give me a tip???

-AS

Jouni Forss · ‎09-15-2013

Hi,

You say that the following happen in your case

Internal host contacts DMZ server
DMZ server initiates connection to Internal server
Internal server initiates connection to DMZ server

I can't comment much on how the actual Web server and SQL server operate but the connections formed between them should be possible by simply making sure that the ACLs allow the traffic and there is nothing else preventing these connections from forming on the firewall.

I am not sure though why the Web server forms a connection to the SQL server and then the SQL server opens a new connection to the Web server?

What is the device you are using as a firewall? Is it a Cisco ASA5505 perhaps? On ASA5505 having only Base License would mean that you would be allowed to have only 3 Vlans one of which would be limited from connecting to one of the 2 other Vlans with the command "no forward interface interface Vlanx"

If you are using ASA5505 then the above thing might be preventing the DMZ from contacting the Internal network. But its a bit far fetched but thought I'd point it out.

I dont think you can use the MPF on the ASA to affect what is allowed between your 2 different network segments. To my understanding it is used to modify already allowed connections like changing timeouts and connection limits.

If you have problem with connectivity between different ASA firewall interfaces I would suggest first opening up the ASDM monitoring view with appropriate logging level and then attempting these connections and see what is failing according to the logs.

- Jouni

Antonio Simoes · ‎09-15-2013

Hi,

The users access http, and the server contact sql server and the server respondes. I thing the traffic inspection sould work rigth? But I just have the defautl traffic inspection?

Is something strange in this because I open the traffic between the to zones with acl when I tested the access to dmz and worked fine.

This is because I think this is related with traffic inspection.

This equipment is ASA 5505 Plus security licence.

Kind Regards,

AS