Pix Firewall Access to Sql Server

zczaja · ‎06-18-2003

I have a pix 525 ver 6.2(2)

I need to allow a specific ip address in on port 1433 for MSSQL within our Private Network Via Nat.

I have tested with just the Public Ip and It works Just fine.

When I nat the Public to Private address It does not work.

Can Someone give me a correct command to allow this to take place.

Public Ip Example 172.16.2.1 to Private 10.1.2.2 and allow Port 1433 only.

Thanks in Advance

Ziggy Czaja

jmia · ‎06-18-2003

Hi Ziggy -

You'll require a static tanslation and a ACL, i.e.

Create a static translation:

> static (inside,outside) tcp 1433 1433 netmask 255.255.255.255 0 0

Now create a ACL for the outside interface i.e.

> access-list permit tcp host host eq 1433

Hope this helps --

jmia · ‎06-18-2003

sorry Ziggy forgot to mention, pls do clear xlate with cmd: clear xlate on config mode and write to memory with cmd: write memory.

Hope this helps --

zczaja · ‎06-18-2003

Jmia, thanks for responding.

I created the static inside,outside tcp outside ip address 1433 inside ip address 1433 netmask 255.255.255.25 0 0

The Nat translation is OK.

The ACL = access-list name permit tcp host public ip address(host that is tring to reach us) host outside pix address eq 1433.

did clear xslate.

We can see the traffic trying to come trrough but it is being denied by the access-list . error ID 106023.

What permissions am I missing

jmia · ‎06-19-2003

Hi Ziggy -

Okay, the config seems to be ok, can you please post your pix config here or if you like e-mail me with it (but pls. remember to exclude your real IP's and passwords), also check the following link to see if can identify the erro ID (sorry just have no time to look it up for you).

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a00800891ec.html

Also, a quick thought - on the ACL instead of the outside pix addrs try inside addrs i.e.

> access-list permit tcp host host eq 1433

*Make sure when you change the ACL you include the ACL group cmd, i.e. > access-group inside in interface inside, before you past back into the pix and also use the 'no access-list inside' as the first line on the modified ACL.

Let me know how you get on.

Hope this helps --

jmia · ‎06-19-2003

Hi Ziggy,

Here's the explanation fro your error msg:

%PIX-4-106023: Deny protocol src [inbound-interface]:[src_address / src_port] dst outbound-interface:dst_address / dst_port [type {type}, code {code}] by access_group access-list-name

Explanation An IP packet was denied by the access-list.

Action Change permission of access-list if a permit policy is desired. If messages persist from the same source address, messages could indicate a foot printing or port scanning attempt. Contact the remote host administrator.

Hope this helps and let me know how get on --

jmia · ‎06-19-2003

Hello again Ziggy --

Another thought on your problem,

1. Have you tried debuging on the source IP address ?

> debug packet outside

> to stop debuging do > no debug packet outside

**Pls. be aware not to do this on production pix as it may overload the pix ***

2. access-list permit tcp host host eq 1433

> static (inside,outside) tcp host 1433 1433 netmask 255.255.255.255 0 0

> do 'wr m' (write memory) to save config and do 'clear xlate'

3. Make sure you have a static ip route on your inside router for your source IP addrs. i.e. > (in config mode on router) ip route

> save the config on router with 'wr m' (write memory) also do the same for the pix as well.

Hope this helps --

zczaja · ‎06-19-2003

email on its way thank you

zczaja · ‎06-19-2003

Got it.

Thank you for all your help and effort I appreciated.