topic PIX DMZ web-server with inside SQL database in Network Security

PIX DMZ web-server with inside SQL database

cwincey — Fri, 21 Feb 2020 08:02:23 GMT

Hi,

I have a PIX525 that I am setting up (new to PIX) to allow web connectivity from the internet. I can get to the web server (from the inside and outside), however, we have the SQL database for the web content sitting on a server on our inside interface. The port has been changed from the usual port to a different port (ie port 5533) for obvious security reasons. I have tried to set up nat and an access list (I have even tried allowing all access from the DMZ to the inside server ip) but have been unsuccessful. I am trying to access this port in order to pull up the website. I can not get the SQL content to show up on the website either from the internal network or the outside interface.

Am I missing something?

Here is what I have:

static (inside,DMZ1) 10.110.10.2 172.16.4.215 dns netmask 255.255.255.255 0 0

access-list DMZ1_access_in permit tcp any host 10.110.10.2 eq 5533

Any thoughts would really be appreciated.

Craig

Re: PIX DMZ web-server with inside SQL database

fedrodri — Sat, 26 Mar 2005 17:59:57 GMT

Hi, Craig

What you've configured seems to be fine (did you apply the ACL to the DMZ1 interface with the command 'access-group DMZ1_access_in in interface DMZ1?). So, what does the xlate (trSanslations table) say: 'show xlate local 172.16.4.215 detail' ?

Do you have any logs? You can momentarily set monitor debugging and capture all your telnet or ssh session output:

config t

log on

log trap deb

log mon deb

term mon

term no mon (to stop logging being displayed)...

Thanks,

Federico Rodriguez

Re: PIX DMZ web-server with inside SQL database

cwincey — Sat, 26 Mar 2005 19:05:12 GMT

Thanks Federico. I am in the process of grabbing logs now. I have attached the pertinent config information so that you can get a better look at what I am trying to accomplish

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 100full

interface gb-ethernet0 1000full

interface gb-ethernet1 1000auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 DMZ1 security50

nameif gb-ethernet0 inside security100

nameif gb-ethernet1 intf3 security6

names

object-group service DMZ1 tcp

description Object Group for DMZ services

port-object eq www

port-object eq ftp

port-object eq smtp

port-object eq https

access-list outside_access_in permit tcp any aaa.bbb.199.48 255.255.255.240 object-group DMZ1

access-list DMZ1_access_in permit tcp any host xxx.yyy.1.2 eq 5533

pager lines 24

mtu outside 1500

mtu DMZ1 1500

mtu inside 1500

mtu intf3 1500

ip address outside aaa.bbb.199.60 255.255.255.240

ip address DMZ1 xxx.yyy.1.1 255.255.255.0

ip address inside mmm.nnn.1.1 255.255.252.0

no ip address intf3

ip verify reverse-path interface outside

arp timeout 14400

global (outside) 1 interface

global (DMZ1) 1 interface

nat (DMZ1) 1 xxx.yyy.1.0 255.255.255.0 0 0

nat (inside) 1 mmm.nnn.0.0 255.255.252.0 0 0

static (inside,DMZ1) xxx.yyy.1.2 mmm.nnn.3.205 dns netmask 255.255.255.255 0 0

static (DMZ1,outside) aaa.bbb.199.53 xxx.yyy.1.3 netmask 255.255.255.255 0 0

static (DMZ1,outside) aaa.bbb.199.52 xxx.yyy.1.2 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group DMZ1_access_in in interface DMZ1

route outside 0.0.0.0 0.0.0.0 aaa.bbb.199.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

Please let me know your thoughts. All replies are welcome.

Thanks,

Craig

Re: PIX DMZ web-server with inside SQL database

fedrodri — Sun, 27 Mar 2005 19:26:41 GMT

Craig,

What is the purpose for this static:

static (DMZ1,outside) aaa.bbb.199.52 xxx.yyy.1.2

Is xxx.yyy.1.2 a server on the DMZ1 interface? If it is, then why do you create an static NAT for the inside SQL server to that server's IP on the DMZ1 interface?

static (inside,DMZ1) xxx.yyy.1.2 mmm.nnn.3.205 dns

If what you are trying to accomplish is to NAT the SQL to the DMZ1, and from the translated DMZ1 IP address to an outside IP, that's not possible (you would need to create an static NAT statement from inside to DMZ1, and another one from inside to outside). In that case just remove this one:

static (DMZ1,outside) aaa.bbb.199.52 xxx.yyy.1.2

clear xlate global aaa.bbb.199.52

Anyway, what does 'show xlate local mmm.nnn.3.205' shows you? What about the logs (something like "no translation group found" or "deny inbound tcp connection... by access-group DMZ1_access_in")?

Thanks,

Federico.

Re: PIX DMZ web-server with inside SQL database

cwincey — Thu, 07 Apr 2005 17:10:56 GMT

Federico,

Thanks for your assistance, but I was able to figure it out. I had to create a NAT between the inside server and a DMZ address and then point the webserver in the DMZ to the NAT'd dmz address which of course accessed the internal server for SQL.