Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3481
Views
5
Helpful
1
Replies

Port 3306

tbarberio
Level 1
Level 1

‎02-20-2007 10:54 PM - edited ‎03-11-2019 02:36 AM

I have pix 515e sitting in front of a webserver that is running linux and mysql. Mysql requires port 3306 be open so in the config on the pix would i just a access-list InboundFilter permit udp 3306

access-list InboundFilter permit tcp 3306

or do i also need to add:

fixup protocol mysql 3306

wich do i need or do i need all 3? Thanks

Labels:
0 Helpful
1 Reply 1

jmia
Level 7
Level 7

‎02-20-2007 11:34 PM

First - if you do not have any access lists applied to the inside interface for outbound filtering then you don?t need to do anything as by default everything from a high security interface to a low security interface is allowed out, so your mySQL server will be able to communicate.

But, if you require access to your mySQL server from the outside on TCP port 3306 then you'll need to setup an access list on the outside interface and a static translation for your mySQL server for TCP port 3306.

One question here - are you allowing any outside hosts to be able to connect to your mySQL server on TCP port 3306 or a specific host?

The required configuration for allowing access to your mySQL server on TCP port 3306 is:

In configuration mode:

access-list outside-in permit tcp any host eq 3306

access-group outside-in in interface outside

static (inside,outside) tcp 3306 3306 netmask 255.255.255.255 0 0

I would write out the configuration on a notepad first, copy any outside access list configuration to notepad and edit this with your new requirement - before copying back the edited configuration onto the PIX (in configuration mode), you'll need to add (as the first line of the edited configuration)

no access-list

i.e.

no access-list outside-in

access-list outside-in permit tcp any host eq 3306

--- any other outside interface access lists ----

access-group outside-in in interface outside

Save with - write mem and also issue - clear xlate

Now, if you have a need to give access to a specific host from the outside then all you need to do is amend the access list as:

access-list outside-in permit tcp host host eq 3306

I hope the above helps and if it does please rate posts!

Jay

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card