RE: [fw-wiz] Problem with TCP 1433, conduits and ACLs...

From: Andy Lyakhovetskiy (andy_at_net4bay.com)
Date: 11/27/03

  • Next message: Alan Holmes: "RE: [fw-wiz] Dynamic routing on a firewall"
    To: <mailinglists@wjnconsulting.com>, <firewall-wizards@nfr.net>
    Date: Wed, 26 Nov 2003 19:01:43 -0800
    
    

    If you have MS SQL 2000, then go to "SQL Client Network Utility" on
    webserver and remove all protocols except TCP/IP.
    If you have SQL 6 or 7, then go to ODBC connections setup and remove all
    extra protocols from there.

    Andy Lyakkhovetskiy
    www.net4bay.com

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Wes
    Noonan
    Sent: Wednesday, November 26, 2003 11:22 AM
    To: firewall-wizards@nfr.net
    Subject: [fw-wiz] Problem with TCP 1433, conduits and ACLs...

    Had a strange problem last night doing a PIX upgrade. Here is the
    scenario:

    2 PIX515E in failover configuration. Upgraded the PIXOS to 6.3(3) from
    6.1(4). Installed new activation key for 3DES (they have UR license).
    The next step was to convert a bunch of conduits and statics to ACLs.

    The original statics were "open". IP x to IP y kind of stuff. We
    converted them to port specific statics. The conduits were also
    converted to ACLs. Seemed pretty straight forward. When we applied the
    changes, everything seemed to be working except for one webserver. The
    server build the web pages from a SQL database running on the internal
    network. The server would not load any pages and displayed a custom
    error message that essentially stated "I can't access the database".
    Every other system worked fine however, and for the real kicker I could
    telnet from the webserver to TCP 1433 on the SQL server and get the SQL
    session to come up.

    The original conduit/static was as follows:
    static (inside,dmz) 172.16.11.134 172.16.4.134 netmask 255.255.255.255 0
    0 conduit permit tcp host 172.16.11.134 eq 1433 host 172.16.8.101

    The new ACL/static was as follows:
    static (inside,dmz) tcp 172.16.11.134 1433 172.16.4.134 1433 netmask
    255.255.255.255 0 0 access-list dmz_ingress_01 permit tcp host
    172.16.8.101 host 172.16.11.134 eq 1433

    In looking at the logs, I could see the hit count on the ACL increasing.
    I could also see the sessions being created, but I never saw any data
    passing. I added the "log" option to the ACL as well as putting an
    explicit "deny ip any any log" entry and never saw anything that
    indicated why the system wouldn't work. I was not running the sqlnet
    fixup on that port number.

    I am pretty much at a loss for what the problem was. In the end we
    decided to roll back the ACLs for the DMZ and put the old conduits back
    in place with the new static statements. As soon as we did that, it
    started working fine. Clearly there seems to be an issue with how the
    PIX is handling the ACL traffic as opposed to the conduit traffic, but I
    can't see what that might be. TIA.

    Wes Noonan
    281-208-8993
    wnoonan@houston.rr.com
    http://www.wjnconsulting.com

    _______________________________________________
    firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Alan Holmes: "RE: [fw-wiz] Dynamic routing on a firewall"

    Relevant Pages

    • DBMSSOCN library and VPN
      ... We have a managed dedicated webserver offsite, and our SQL 2K Server is on our LAN, at headquarters, behind our firewall. ... Currently a VPN is established between the webserver firewall and our headquarters firewall, connecting webserver to the SQL server on our LAN at 192.168.1.100. ...
      (microsoft.public.sqlserver.connect)
    • Re: SSL Sicherheitsfehler
      ... Webserver und SQL-Server laufen auf dem selben PC. ... Seltsamerweise hat der SQL Dienst die ganze Zeit NICHT gemeckert alles ... ).]SSL Sicherheitsfehler. ...
      (microsoft.public.de.sqlserver)
    • Re: Uninstall question, please help
      ... As it turns out, the webserver is ... server since the webserver has to have sql2000 client ... >SQL Server MVP ... Would I need the SQL 7.0 install cd or ...
      (microsoft.public.sqlserver.server)
    • SQL 2005 Express und ASP.NET
      ... SQL 2005 Express Server installiert habe. ... aber auf dem Webserver nicht. ...
      (microsoft.public.de.german.entwickler.dotnet.datenbank)