Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
561
Views
0
Helpful
6
Replies

Access Issues: DMZ to Inside

iainkilner
Level 1
Level 1

‎07-04-2005 01:58 AM - edited ‎03-09-2019 11:44 AM

Hi all,

I am a relative newbie to the PIX systems, but have a real funny with my current config.

I have a web server on a DMZ that is talking to a SQL server quite happily over 1433 on the inside interface - so I know my translation exemption rules and routeing is good.

When I try to get the web server to talk to the SQL using MSDTC (I have locked the ports down to a known range using Microsoft's recomendation) - it appears to teardown the connection just before the reply comes back from the SQL box.

I have seen reference to Asymetric traffic - but as far as I can tell this only applies to non directly connected interfaces.

I have even setup a rule to allow all IP traffic from web server to SQL and SQL to Web and it still fails. Needless to say if the boxes are sat on the same subnet, there is no issue.

Any help with this would be greatly appreciated.

Regards

Iain

Labels:
0 Helpful
6 Replies 6

harishtandon23
Level 1
Level 1

‎07-08-2005 02:18 AM

Hello,

Please send the sh tech output of the pix and the syslog messages. so that i can try to fix the problem for you.

If you have any questions, please free to contact me.

Thanks & Regards,

Harish Tandon

harishtandon23@gmail.com

0 Helpful

iainkilner
Level 1
Level 1
In response to harishtandon23

‎07-08-2005 03:26 AM

Hi Harish, Thanks for the offer - I have commented out passwords and public IP's

10.10.10.80 is the Webserver in DMZ

172.14.0.21 is the SQL server on inside

Just to add to the problem - from my XP machine I can get to the PDM on the external interface no worries. When I try to get to the PDM on the inside - it hangs. I can telnet to the inside from my XP PC - but doing a sh run - it hangs.

From a w2k machine on the same network - I can get to PDM on in and out and telnet and do sh run no issues??? Am completely PIX'd off with the thing...

Error messages and config attached - as you can see it tearsdown the connection, just before the reply...

Preview file
19 KB
0 Helpful

harishtandon23
Level 1
Level 1
In response to iainkilner

‎07-08-2005 04:01 AM

For xp machine not able to access pdm. Try to disable the internet connection firewall on xp box and install java vm from sun website.

Then try to access the the pdm.

For the sql related issue. Try the following static command to check if this helps.

static (inside,dmz) 172.14.0.21 172.14.0.21

wr mem

cl xlate

If this doesn't resolve the issue. We need to set the captures on both the inside and the dmz interface to sniff the pacekt traversing between the sql and the web server on the dmz.

To setup capture, Try teh following commands:

access-list abc permit ip host 172.14.0.21 host 10.10.10.80

access-list abc permit ip host 10.10.10.80 host 172.14.0.21

access-list def permit ip host host 10.10.10.80

access-list def permit ip host 10.10.10.80 host

capture cpi access-list abc buffer 2000000 packet-length 1500 interface inside

capture cpdmz access-list def buffer 2000000 packet-length 1500 interface dmz

Try to access the server to capture some traffic and then try going to the following url to download the capture file in pcap format.

https:///capture/cpi/pcap

Try the username as blank and password as the enable passowrd and download the file and save it as inside.pcap

Try the capture the packet from dmz interface by going to the following url:

https:///capture/cpdmz/pcap and save the file as dmz.pcap

You can view the cpature by opening the file though ethereal packet sniffer software.

Please send that information for me to analyze.

If you have any questions, please feel free to contact me.

Thanks & Regards,

Harish Tandon

harishtandon23@gmail.com

0 Helpful

iainkilner
Level 1
Level 1
In response to harishtandon23

‎07-08-2005 05:48 AM

Hi Harish.

The static command did not work.

On the list of commands you have put - the SQL server's address is 172.14.0.21 - I am not NAT/PATing the address. Should I just insert the address as is?

Also on the XP vs W2K issue - There is no firewall on the XP machine, and I can get to the PDM if I access it on the external interface - so the Java version works...it's really odd. I am accessing this through a VPN from the 172.16.0.0 network if that makes a difference

Again, thanks for your help.

Iain

0 Helpful

harishtandon23
Level 1
Level 1
In response to iainkilner

‎07-08-2005 06:49 AM

If you are accessing through vpn it does make a differnce. For that you need to try the following command.

management-access inside

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1137951

Then try accessing the pix through pdm using the pix inside ip address.

For the other question you have, you need to set the transalated ip address 172.14.0.21 itself, if you are not transalating it.

If you have any questions, please feel free to contact me.

Thanks & Regards,

Harish Tandon

harishtandon23@gmail.com

0 Helpful

iainkilner
Level 1
Level 1
In response to harishtandon23

‎07-08-2005 07:30 AM

Harish,

I have sent the PCAP files to you for analysis. Thanks

On the PDM access front, I already had that command in the PIX and can access it thru the VPN from a win2k Machine ok?? It is really wierd. My major concern is the DMZ to Inside access - as this is due to go into production soon.

Again a big thanks

Iain

0 Helpful
Customers Also Viewed These Support Documents