Firewall Wizards mailing list archives
RE: Problem with TCP 1433, conduits and ACLs...
From: "Andy Lyakhovetskiy" <andy () net4bay com>
Date: Wed, 26 Nov 2003 19:01:43 -0800
If you have MS SQL 2000, then go to "SQL Client Network Utility" on webserver and remove all protocols except TCP/IP. If you have SQL 6 or 7, then go to ODBC connections setup and remove all extra protocols from there. Andy Lyakkhovetskiy www.net4bay.com -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Wes Noonan Sent: Wednesday, November 26, 2003 11:22 AM To: firewall-wizards () nfr net Subject: [fw-wiz] Problem with TCP 1433, conduits and ACLs... Had a strange problem last night doing a PIX upgrade. Here is the scenario: 2 PIX515E in failover configuration. Upgraded the PIXOS to 6.3(3) from 6.1(4). Installed new activation key for 3DES (they have UR license). The next step was to convert a bunch of conduits and statics to ACLs. The original statics were "open". IP x to IP y kind of stuff. We converted them to port specific statics. The conduits were also converted to ACLs. Seemed pretty straight forward. When we applied the changes, everything seemed to be working except for one webserver. The server build the web pages from a SQL database running on the internal network. The server would not load any pages and displayed a custom error message that essentially stated "I can't access the database". Every other system worked fine however, and for the real kicker I could telnet from the webserver to TCP 1433 on the SQL server and get the SQL session to come up. The original conduit/static was as follows: static (inside,dmz) 172.16.11.134 172.16.4.134 netmask 255.255.255.255 0 0 conduit permit tcp host 172.16.11.134 eq 1433 host 172.16.8.101 The new ACL/static was as follows: static (inside,dmz) tcp 172.16.11.134 1433 172.16.4.134 1433 netmask 255.255.255.255 0 0 access-list dmz_ingress_01 permit tcp host 172.16.8.101 host 172.16.11.134 eq 1433 In looking at the logs, I could see the hit count on the ACL increasing. I could also see the sessions being created, but I never saw any data passing. I added the "log" option to the ACL as well as putting an explicit "deny ip any any log" entry and never saw anything that indicated why the system wouldn't work. I was not running the sqlnet fixup on that port number. I am pretty much at a loss for what the problem was. In the end we decided to roll back the ACLs for the DMZ and put the old conduits back in place with the new static statements. As soon as we did that, it started working fine. Clearly there seems to be an issue with how the PIX is handling the ACL traffic as opposed to the conduit traffic, but I can't see what that might be. TIA. Wes Noonan 281-208-8993 wnoonan () houston rr com http://www.wjnconsulting.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- (In)security of wireless LANs and the Cisco Wireless Security Sui te Stewart, John (Nov 04)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te R. DuFresne (Nov 04)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te John Adams (Nov 04)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te R. DuFresne (Nov 05)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te John Adams (Nov 04)
- RE: (In)security of wireless LANs and the Cisco Wireless Security Sui te Ben Nagy (Nov 04)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te David Wagner (Nov 05)
- Problem with TCP 1433, conduits and ACLs... Wes Noonan (Nov 26)
- RE: Problem with TCP 1433, conduits and ACLs... Andy Lyakhovetskiy (Nov 28)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te David Wagner (Nov 05)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te R. DuFresne (Nov 04)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Suite Mikael Olsson (Nov 04)
- <Possible follow-ups>
- RE: (In)security of wireless LANs and the Cisco Wireless Security Sui te Sloane, David (Nov 04)