hello,
so it looks like you are enabling access correctly to the server on tcp port 1433.
ip access-list extended WAN permit tcp host [external host ip] [server ip] eq 1433.
and then you explicitly block everyone to the same server on tcp 1433. that second line actually isn't necessary because there is an implicit deny at the end of every access-list, so everything gets denied that hasn't already been explicitly permitted.
i suspect you might need more ports open (but i say that not knowing what you're doing with this sql server. so you might want to start by applying this acl:
ip access-list extended WAN permit ip any [server ip] log
this will log all traffic that's going to the server - this will let you know if your external hosts are in need of more ports (just check the router logs).
you can apply a similar access-list to the interface closest to the sql server - again permit the server to talk to anyone and log it. look in the logs to see what ports the server needs open.
finally, where you apply the access-list matters... A LOT
decide if it should be on an external facing interface, on the internal, or one for each (depends on how tightly you want to lock things down).
when in doubt, look at your traffic to see what's going on (logging the acl or a packet capture).
did you check out the access-list tutorial? i know they have several more that cover more advanced access-list issues.
good luck!
rajesh_dongre :
Dear 1sAND0s
Below is the syntax i am using in which i want few of my external ip's to access sql port (1433) on my server and rest should be blocked the access to port 1433.
ip access-list extended WAN permit tcp host X.X.X.X host server ip eq 1433
ip access-list extended WAN deny tcp any host server ip eq 1433
ip access-group WAN in (on my router interface.)
if i am applying the above access-list the server ip stops responding from outside network.
Please help me in that so that i can apply the same and hope it works.
Thanks in adavance.
Facebook
Twitter
Instagram