SQL access from the DMZ Web server

Keithr73_2 · ‎08-31-2004

Have a web server in a dmz that needs to access the internal SQL server. Thought an extended access list

something like

permit tcp host x.x.x.x host 10.1.1.93 eq 1433 would do the trick, but is does not seem to allow the connection. Any advise on ports or how to set a udp port range?

Thanks

Keith

scoclayton · ‎08-31-2004

Your ACL above should so the trick. One thought though (and you may already have something - it just wasn't mentioned above) is that you are going to need to create an xlate for this connection as well. One way (of several) to do this would be:

static (inside,dmz) 10.1.1.93 10.1.1.93

This allows the host on the DMZ to connect to the host on the inside via the inside address (10.1.1.93).

Let me know if this is not clear. Also, it would help to see your config if this does not help.

Scott

david.byrne · ‎09-02-2004

I have the same issue, I have set up the following:

static (dmz806,dmz838) 10.14.2.0 10.14.2.0 netmask 255.255.255.0 0 0

access-list dmz838_access_in permit tcp object-group dmz838-Agentview-ODBC gt 1023 object-group dmz806-HDS-Servers eq 1433

However I still get the following message:

Deny tcp src dmz838:10.14.67.35/1047 dst dmz806:10.14.2.20/1433 by access-group "dmz838_access_in"

Do I need to fixup the SQL protocl? WHy is this being blocked?

Thanks,

David

Keithr73_2 · ‎09-02-2004

Thanks for all the help. Ended up using the

netstat -an command on the SQL machine and found it was using port 2128 instead of 1433 - For added security, went into the SQL Server Network Utility and changed to port number to an unknown port and then listed that port number in the access-list.

Works great.

Thanks again for all the suggestions

Keith

david.byrne · ‎09-03-2004

Thanks this helped my issue also.

David