|
Home > Archive > SQL Anywhere database > April 2005 > Connecting to DB from outside Firewall
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Connecting to DB from outside Firewall
|
|
| Jerry CTPH 2005-04-12, 8:23 pm |
| How do I configure connection parameters and firewall to allow me to connect
from outside a firewall to a db running inside the firewall?
I have moved my database (8.0.2 (3601)) behind a firewall. I
can no longer access it with ISql, even though I opened the
port 2368 for both UDP and TCP.
It is a Cisco PIX firewall. I can get all other services
through. Any ideas how the connection is established? The
internal side is allowed to establish any connection it
wants. The firewall does not show that it is blocking the
packets. IF i stop port 2368, i do see the packets stopped,
so I think I have the right initial port anyway. Does it
need a secondary one? Is an internal IP address sent back in
the connection ack ? (it is static nat'd so it would be
different than the external address).
I tried with dbping:
C:\Documents and Settings\Jerry>dbping -d -z -c
" uid=dba;pwd=sql;eng=
billing;lin
ks=tcpip(host=<ipaddressremoved> ;dobroadcast=none);l
og=c:\somelog.txt"
Adaptive Server Anywhere Server Ping Utility Version
8.0.0.2213
Application information:
" HOST=JERRY_IBM;OS=Wi
ndows XP (Service Pack
2);PID=0x13650;THREA
D=0x13654;EXE=C:
\Program Files\Sybase\SQL Anywhere
8\win32\dbping.exe;VERSION=8.0.0.2213;API=DBL
IB;TIMEZONEADJUSTMEN
T=-240"
Attempting to connect using:
UID=dba;PWD=***;ENG=
billing;DBG=YES;LOG=
c:\somelog. txt;LINKS=tcpip(host
=<ipaddressremoved>;dobroadcast=none)
Attempting to connect to a running server...
Trying to start TCPIP link ...
Loading wsock32.dll
Loading ws2_32.dll
TCP using Winsock version 2.0
My IP address is 192.168.1.35
My IP address is 127.0.0.1
TCPIP link started successfully
Attempting TCPIP connection (no asasrv.ini cached address)
Looking for server with name billing
Trying to find server at address ,removed again>
TCP/IP link, function connect(), error code 10060
Failed to connect over TCPIP
Not attempting to autostart server
Cannot connect to server
Ping database failed -- Database server not found.
I would think the NAT address of my machine is ok, since it
worked before i installed the firewall.
Jerry
| |
| Graeme Perrow 2005-04-12, 8:23 pm |
| Error code 10060 means ETIMEDOUT, which indicates to me that the client
found the server, but the TCP connection failed. Add -z to the server's
start line, and you'll see if any TCP connections are made to it.
--
Graeme Perrow
Senior Software Developer
gperrow _at_ ianywhere _dot_ com
iAnywhere Solutions Inc.
A Sybase company
Whitepapers, TechDocs, bug fixes are all available through the iAnywhere
Developer Community at http://www.ianywhere.com/developer/
| |
| Ian McHardy 2005-04-15, 11:23 am |
| The error 10060 is WSAETIMEDOUT (a WinSock error)
"A connection attempt failed because the connected party did not properly
respond after a period of time, or established connection failed because
connected host has failed to respond."
I got the same error with
dbping -c " eng=foo;links=tcpip(
host=10.25.107.254;dobroad=none)" -z
where 10.25.107.254 was an unused address on my subnet.
So I'd recommend double checking the host address in the connection string,
then double checking the configuration of your firewall. With these
connection parameters, no UDP is involved, and ASA is just attempting to
establish a TCP/IP connection to hostname:2638. You may need to use the
clientport connection parameter. Failing that, you may want to use a packet
sniffer (we sometimes use ethereal from www.ethereal.com, which is free
software) on the server machine and see if the TCP/IP connect request is
getting there from the client.
--
Ian McHardy (iAnywhere Solutions)
Please reply only to the newsgroup.
Whitepapers, TechDocs, bug fixes are all available through the iAnywhere
Developer Community at http://www.ianywhere.com/developer
"Jerry CTPH" < jerry_removethis_@va
ppsinc.com> wrote in message
news:425c18e2@forums
-2-dub...
> How do I configure connection parameters and firewall to allow me to
> connect from outside a firewall to a db running inside the firewall?
>
> I have moved my database (8.0.2 (3601)) behind a firewall. I
> can no longer access it with ISql, even though I opened the
> port 2368 for both UDP and TCP.
> It is a Cisco PIX firewall. I can get all other services
> through. Any ideas how the connection is established? The
> internal side is allowed to establish any connection it
> wants. The firewall does not show that it is blocking the
> packets. IF i stop port 2368, i do see the packets stopped,
> so I think I have the right initial port anyway. Does it
> need a secondary one? Is an internal IP address sent back in
> the connection ack ? (it is static nat'd so it would be
> different than the external address).
>
> I tried with dbping:
>
> C:\Documents and Settings\Jerry>dbping -d -z -c
> " uid=dba;pwd=sql;eng=
billing;lin
> ks=tcpip(host=<ipaddressremoved> ;dobroadcast=none);l
og=c:\somelog.txt"
> Adaptive Server Anywhere Server Ping Utility Version
> 8.0.0.2213
> Application information:
> " HOST=JERRY_IBM;OS=Wi
ndows XP (Service Pack
> 2);PID=0x13650;THREA
D=0x13654;EXE=C:
> \Program Files\Sybase\SQL Anywhere
> 8\win32\dbping.exe;VERSION=8.0.0.2213;API=DBL
> IB;TIMEZONEADJUSTMEN
T=-240"
> Attempting to connect using:
> UID=dba;PWD=***;ENG=
billing;DBG=YES;LOG=
c:\somelog. txt;LINKS=tcpip(host
=<ipaddressremoved>;dobroadcast=none)
> Attempting to connect to a running server...
> Trying to start TCPIP link ...
> Loading wsock32.dll
> Loading ws2_32.dll
> TCP using Winsock version 2.0
> My IP address is 192.168.1.35
> My IP address is 127.0.0.1
> TCPIP link started successfully
> Attempting TCPIP connection (no asasrv.ini cached address)
> Looking for server with name billing
> Trying to find server at address ,removed again>
> TCP/IP link, function connect(), error code 10060
> Failed to connect over TCPIP
> Not attempting to autostart server
> Cannot connect to server
> Ping database failed -- Database server not found.
>
> I would think the NAT address of my machine is ok, since it
> worked before i installed the firewall.
> Jerry
>
>
|
|
|
|
|