Re: ASA 5520 ASDM How to Open Port on Interface

Ogero · ‎06-26-2018

Please help anyone.

I have a Cisco ASA 5520. I need my web server with IP 192.168.200.6 in the DMZ to access my database server with IP 192.168.2.4 in the Inside interface on Port 1433.

I have tried creating an Access Rule for Port 1433 with on luck.

Microsoft SQL Database communicate over port 1433.

How can I do it on ASDM?

Many Thanks.

Diana Karolina Rojas · ‎06-26-2018

Hello,

You have to create an access rule in the "dmz interface" allowing traffic from de DMZ server to go to the data base server in that port, this should work... you can try allowing also icmp, in order to test the conexion using ping and logging it in the ASDM (this way you can see if traffic is really allowed by the ASA).

Please do not forget to rate useful post.

Best Regards,

Ogero · ‎06-26-2018

Thank you for your help.

Please look at the image attached. I tried different configuration with no luck. Please help me do it right.

Diana Karolina Rojas · ‎06-26-2018

Hello!

The rule looks good (assuming sv0005 is the DMZ server and sv0003 is the Database one), Can you show me all the sentences in the interface (show me the rules configured)? maybe this rule is under another one that is blocking all the traffic between that devices, please try to log the session and show me that also, use the logging monitor from the ASDM and gen.

Please do not forget to rate useful post, your rating promotes our participation.

Best Regards,

Ogero · ‎06-26-2018

Yes sv0005 is in the DMZ and sv003 is on the inside.

I also tried creating Access Rule for network instead of host and placed at the top with no luck.

I think I need to update the Device OS.

Here's the screen shot.

Diana Karolina Rojas · ‎06-26-2018

Yes, you have an old IOS, however I really think you have to permit icmp traffic (or permit all ip traffic) in the ASA in order to test layer 3 conectivity between the devices (you can restrict the ports you want after doing this test), and also you have to log the session to see If the packets are being dropped and why, and if there are packets with ports different to the ones you permited.

Please do not forget to rate/mark useful post, your rating promotes our participation.

Best Regards,

Ogero · ‎06-26-2018

I added Access Rule on the Global Section. I could connect to the internet but still can't connect to the database server on the inside.

Here is the screen shot.

Martin Carr · ‎06-27-2018

On DMZ INSIDE, you should remove line 1, this permits that service to the entire LAN!

Line 2 is correct and should therefore work, are you sure your SQL instance is running on the default port? I also note you are using security groups, are they configured correctly?

If you have SQL Management Studio on the DMZ box, you can connect via this to test connectivity (in addition there is Packet tracer), but as said the logs are your friend here.

Martin

Ogero · ‎06-28-2018

Thanks guys for all your.

It still is not working. This is the latest I have done after reading about all the possible port MS SQL communicate over. Yet I still can't get it to work. What more can I do?

Please see image attached.

Martin Carr · ‎07-09-2018

I believe the issue is that the DMZ ACL is applied outbound, opposed to inbound. Can you change this?

Martin