I have set my Cisco PIX 501 to allow file sharing and ICMP from specified PC's on my network. To my surprise, I am able to send an SQL update to "Server" on the outside. From what I have read TCP ports
1433, 1434 , 1953, & UDP 1434 are used for SQL. Did I miss something in my configuration to allow this?Here is the LOG. Notice how 1433 is denied.I'm not clear about what is happening after the deny messages. My PC is at address 172.31.1.113
106023: Deny tcp src inside:InsidePC3/1473 dst outside:Server/1433 by access-group "acl_outside" 106023: Deny tcp src inside:InsidePC3/1473 dst outside:Server/1433 by access-group "acl_outside" 106023: Deny tcp src inside:InsidePC3/1473 dst outside:Server/1433 by access-group "acl_outside" 609001: Built local-host inside:172.31.1.113 305011: Built dynamic ICMP translation from inside:172.31.1.113/512 to outside:172.16.13.1/0 305011: Built dynamic TCP translation from inside:172.31.1.113/1474 to outside:172.16.13.1/1024 302013: Built outbound TCP connection 69 for outside:172.16.13.2/445 (172.16.13.2/445) to inside:172.31.1.113/1474(172.16.13.1/1024)
305012: Teardown dynamic ICMP translation from inside:172.31.1.113/512 to outside:172.16.13.1/0 duration 0:00:31Here is the CONFIG.
names name 172.31.1.136 InsidePC name 172.16.13.2 Server name 172.31.1.34 InsidePC2 name 172.31.1.113 InsidePC3 name 172.31.1.131 InsidePC4 object-group service FileShareTCP tcp port-object eq netbios-ssn port-object eq 445 object-group service FileShareUDP udp port-object eq netbios-ns port-object eq netbios-dgm port-object eq 445 object-group network insidePCgroup network-object host InsidePC network-object host InsidePC2 network-object host InsidePC3 network-object host InsidePC4 access-list acl_inside permit icmp any any access-list acl_inside permit udp object-group insidePCgroup host Server object-group FileShareUDP access-list acl_inside permit tcp object-group insidePCgroup host Server object-group FileShareTCP access-list acl_outside permit icmp any any access-list acl_outside permit tcp object-group insidePCgroup host Server object-group FileShareTCP access-list acl_outside permit udp object-group insidePCgroup host Server object-group FileShareUDP pager lines 24 logging on logging console alerts logging monitor alerts logging buffered informational mtu outside 1500 mtu inside 1500 ip address outside 172.16.13.1 255.255.255.0 ip address inside 172.31.4.10 255.255.0.0 ip audit info action alarm ip audit attack action alarm pdm location InsidePC 255.255.255.255 inside pdm location InsidePC2 255.255.255.255 outside pdm location InsidePC3 255.255.255.255 outside pdm location InsidePC4 255.255.255.255 outside pdm location InsidePC 255.255.255.255 outside pdm group insidePCgroup outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 172.31.0.0 255.255.0.0 0 0 access-group acl_inside in interface outside access-group acl_outside in interface inside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 172.31.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet 172.31.0.0 255.255.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:6f4ca09f0d791fcc568b55fd6e1ce024 : end [OK]