Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Newbie with asa.. need help

Status
Not open for further replies.
razmar

razmar

IS-IT--Management
Joined
Mar 16, 2008
Messages
13
Location
PR
Hi guys!
I have a DMZ with webservers who need to connect to a SQL server (port 1433) on the internal network.

I tried with static routes and didnt connect.. What i'm doing wrong?

I receive a message:
" portmap translation creation failed for tcp 1433" from webserver (dmz) to sql server on the internal network.

I'm a rookie with little knowledge with ASA firewalls. So if theres is a standard configuration or a template to connect:

Outside ----> DMZ (webservers)-------> SQl Servers (Data)(Internal Network)

thanks in advance
 
Sort by date Sort by votes
Please: This is the configuration. Thanks
****************************************************
!
hostname ######
domain-name ####
enable password
names
name 192.168.1.11 PRH05WEB
name 76.76.194.163 Public_APP_Server
name 76.76.194.162 Public_WWW
name 192.168.1.14 PRH02APP
name 131.15.2.55 SQL-CLUS-IP
name 131.15.2.53 SQL-Node1
name 131.15.2.41 SQL-Node2
name 131.15.2.42 Prh03sql
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address ########## 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 90
ip address 131.15.2.254 255.255.0.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 10
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.0.0.1 255.255.255.0
!
passwd encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name $####
object-group service description HTTP and HTTPS
service-object tcp eq www
service-object tcp eq https
object-group service mssql tcp
description Microsoft SQL
port-object eq 1433
object-group network DM_INLINE_NETWORK_1
network-object host PRH05WEB
network-object host PRH02APP
object-group network DM_INLINE_NETWORK_2
network-object host PRH05WEB
network-object host PRH02APP
object-group network DM_INLINE_NETWORK_3
network-object host PRH05WEB
network-object host PRH02APP
object-group network DM_INLINE_NETWORK_4
network-object host PRH05WEB
network-object host PRH02APP
object-group service DM_INLINE_TCP_3 tcp
port-object eq 1433
port-object eq 1434
object-group network SQL-Cluster-servers
network-object host SQL-Node2
network-object host Prh03sql
network-object host SQL-Node1
network-object host SQL-CLUS-IP
access-list outside_access_in extended permit object-group any host Public_WWW
access-list outside_access_in extended permit object-group any host Public_APP_Server
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 range 1 65535 host SQL-CLUS-IP eq 445
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 range 1 65535 host SQL-CLUS-IP object-group DM_INLINE_TCP_3
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 range 1 65535 host SQL-CLUS-IP eq netbios-ssn
access-list dmz_access_in extended permit icmp object-group DM_INLINE_NETWORK_4 host SQL-CLUS-IP
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
global (outside) 2 Public_APP_Server netmask 255.0.0.0
global (outside) 1 Public_ 255.0.0.0
global (dmz) 200 192.168.1.2-192.168.1.254 netmask 255.255.255.0
nat (inside) 101 131.15.0.0 255.255.0.0
nat (dmz) 1 PRH05WEB 255.255.255.255
nat (dmz) 2 PRH02APP 255.255.255.255
nat (management) 101 10.0.0.0 255.255.255.0
static (dmz,outside) tcp Public_ PRH05WEB 255.255.255.255
static (dmz,outside) tcp Public_APP_Server 255.255.255.255
static (dmz,outside) tcp Public_ PRH05WEB https netmask 255.255.255.255
static (dmz,outside) tcp Public_APP_Server https PRH02APP https netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 76.76.194.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:31624e23da8af2f6668400770becf59a
: end
 
Upvote 0 Downvote
Looking at your translations statements:

global (outside) 101 interface
global (outside) 2 Public_APP_Server netmask 255.0.0.0
global (outside) 1 Public_ 255.0.0.0
global (dmz) 200 192.168.1.2-192.168.1.254 netmask 255.255.255.0
nat (inside) 101 131.15.0.0 255.255.0.0
nat (dmz) 1 PRH05WEB 255.255.255.255
nat (dmz) 2 PRH02APP 255.255.255.255
nat (management) 101 10.0.0.0 255.255.255.0
static (dmz,outside) tcp Public_ PRH05WEB 255.255.255.255
static (dmz,outside) tcp Public_APP_Server 255.255.255.255
static (dmz,outside) tcp Public_ PRH05WEB https netmask 255.255.255.255
static (dmz,outside) tcp Public_APP_Server https PRH02APP https netmask 255.255.255.255


Is there anything missing out of this? This line:

global (dmz) 200 192.168.1.2-192.168.1.254 netmask 255.255.255.0

has no matching nat statement. Regardless. You will need a static to the internal server like so.

static (inside,dmz) ddd.ddd.ddd.ddd iii.iii.iii.iii netmask 255.255.255.255

so if this is the sql server: 131.15.2.55

static (inside,dmz) 131.15.2.55 131.15.2.55 netmask 255.255.255.255

 
Upvote 0 Downvote

I deleted:
global (dmz) 200 192.168.1.2-192.168.1.254 netmask 255.255.255.0


So I need to add this:

static (inside,dmz) 131.15.2.55 131.15.2.55 netmask 255.255.255.255

correct?
 
Upvote 0 Downvote
With this static I will be able to access the dmz from the inside and vice versa?

static (inside,dmz) 131.15.2.55 131.15.2.55 netmask 255.255.255.255
 
Upvote 0 Downvote
Yes. As long as you have rules applied on your DMZ interface to allow the traffic inbound to the inside interface. Since you dont have access control entries on the inside interface all is allowed to lower security levels.

 
Upvote 0 Downvote
Config For check:

hostname #####

domain-name #####

enable password ##### encrypted

names

name 192.168.1.11 PRH05WEB

name 76.76.194.163 Public_APP_Server

name 76.76.194.162 Public_WWW

name 192.168.1.14 PRH02APP

name 131.15.2.55 SQL-CLUS-IP

name 131.15.2.53 SQL-Node1

name 131.15.2.41 SQL-Node2

name 131.15.2.42 Prh03sql

name 192.168.1.22 description Clustered or Managed IP for WWW

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 76.76.194.164 255.255.255.248

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 131.15.2.253 255.255.0.0

!

interface GigabitEthernet0/2

nameif dmz

security-level 50

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.0.0.1 255.255.255.0

!

passwd #######encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name ####.local

object-group service
description HTTP and HTTPS

service-object tcp eq www

service-object tcp eq https

object-group service mssql tcp

description Microsoft SQL Port

port-object eq 1433

object-group network SQL-Cluster-servers

network-object host SQL-Node2

network-object host Prh03sql

network-object host SQL-Node1

network-object host SQL-CLUS-IP

object-group network Public_Web_Servers

network-object host PRH05WEB

network-object host PRH02APP

network-object host
access-list outside_access_in extended permit object-group any host Public_WWW

access-list outside_access_in extended permit object-group any host Public_APP_Server

access-list inside_access_in extended permit tcp object-group Public_Web_Servers object-group SQL-Cluster-servers object-group mssql

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

global (outside) 2 Public_APP_Server netmask 255.0.0.0

global (outside) 1 Public_ 255.0.0.0

nat (inside) 101 131.15.0.0 255.255.0.0

nat (dmz) 1 PRH05WEB 255.255.255.255

nat (dmz) 2 PRH02APP 255.255.255.255

nat (management) 101 10.0.0.0 255.255.255.0

static (dmz,outside) tcp Public_ PRH05WEB 255.255.255.255

static (dmz,outside) tcp Public_APP_Server 255.255.255.255

static (dmz,outside) tcp Public_ PRH05WEB https netmask 255.255.255.255

static (dmz,outside) tcp Public_APP_Server https PRH02APP https netmask 255.255.255.255

static (inside,dmz) 131.15.2.55 131.15.2.55 netmask 255.255.255.255 ----->Correct???*****************

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 #########1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.0.0.2 255.255.255.255 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics

username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:5a2ba21a2fad22600e1cd96da20d3109

: end
 
Upvote 0 Downvote
The inside ACL looks wrong. I think you meant to put that on your DMZ interface.

no access-group inside_access_in in interface inside

Access list entries you had before looked ok. The inside interface is the highest security interface. If no acls are applied to it, hosts on the inside will have access to any other interface.

In order to allow a lower level interface access to the higher, you need an access-list and a static nat ot no nat,

You have the static in place, you just need to allow the traffic from the DMZ to the inside.

access-list dmz permit tcp source dest port
access-group dmz in interface dmz


 
Upvote 0 Downvote
so I don't need this:

access-list inside_access_in extended permit tcp object-group Public_Web_Servers object-group SQL-Cluster-servers object-group mssql


And I need to put this:

access-list dmz permit tcp source dest port (in this case 1433 for sql)
access-group dmz in interface dmz

I'm correct? Do I need something more?

sorry to bother so much..
 
Upvote 0 Downvote
Lets put the config:

hostname #####

domain-name #####

enable password ##### encrypted

names

name 192.168.1.11 PRH05WEB

name 76.76.194.163 Public_APP_Server

name 76.76.194.162 Public_WWW

name 192.168.1.14 PRH02APP

name 131.15.2.55 SQL-CLUS-IP

name 131.15.2.53 SQL-Node1

name 131.15.2.41 SQL-Node2

name 131.15.2.42 Prh03sql

name 192.168.1.22 description Clustered or Managed IP for WWW

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 76.76.194.164 255.255.255.248

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 131.15.2.253 255.255.0.0

!

interface GigabitEthernet0/2

nameif dmz

security-level 50

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.0.0.1 255.255.255.0

!

passwd #######encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name ####.local

object-group service
description HTTP and HTTPS

service-object tcp eq www

service-object tcp eq https

object-group service mssql tcp

description Microsoft SQL Port

port-object eq 1433

object-group network SQL-Cluster-servers

network-object host SQL-Node2

network-object host Prh03sql

network-object host SQL-Node1

network-object host SQL-CLUS-IP

object-group network Public_Web_Servers

network-object host PRH05WEB

network-object host PRH02APP

network-object host
access-list outside_access_in extended permit object-group any host Public_WWW

access-list outside_access_in extended permit object-group any host Public_APP_Server

access-list dmz permit tcp source dest port (in this case 1433 for sql)***** add this??

access-group dmz in interface dmz******** add this??

****access-list inside_access_in extended permit tcp object-group Public_Web_Servers object-group SQL-Cluster-servers object-group mssql***** delete this?

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

global (outside) 2 Public_APP_Server netmask 255.0.0.0

global (outside) 1 Public_ 255.0.0.0

nat (inside) 101 131.15.0.0 255.255.0.0

nat (dmz) 1 PRH05WEB 255.255.255.255

nat (dmz) 2 PRH02APP 255.255.255.255

nat (management) 101 10.0.0.0 255.255.255.0

static (dmz,outside) tcp Public_ PRH05WEB 255.255.255.255

static (dmz,outside) tcp Public_APP_Server 255.255.255.255

static (dmz,outside) tcp Public_ PRH05WEB https netmask 255.255.255.255

static (dmz,outside) tcp Public_APP_Server https PRH02APP https netmask 255.255.255.255

static (inside,dmz) 131.15.2.55 131.15.2.55 netmask 255.255.255.255 ----->Correct???*****************

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 #########1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.0.0.2 255.255.255.255 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics

username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:5a2ba21a2fad22600e1cd96da20d3109

: end


is this ok??? Thanks
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
PauS0n
  • Locked
  • Question Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
459
PauS0n
PauS0n
intel233
  • Locked
  • Question Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
1K
intel233
intel233
intel233
  • Locked
  • Question Question
Cisco ASA - VPN Question
Replies
6
Views
1K
intel233
intel233
gkreg
  • Locked
  • Question Question
asa 5500-x url filtering
Replies
0
Views
699
gkreg
gkreg

Part and Inventory Search

Sponsor

Back
Top