https://community.cisco.com/t5/network-security/allowing-some-ports-from-a-dmz-system-to-nondms-system/m-p/1435411#M645445 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Firstly, I assume your outside interface has a security level of 0 so both the DMZ and INSIDE interfaces will be able to go outside since their security levels are higher.</P><P></P><P>To allow the DMZ to talk to a host on the INSIDE, then you must create an access-group and and access-list for the DMZ network.</P><P></P><P>Let's assume that the DB is a mysql server running on 192.168.1.100 on port 3306 and you have interfaces with DMZ and INSIDE as names.</P><P></P><P>access-group DMZ_access_in in interface DMZ</P><P>access-list DMZ_access_in extended permit tcp any host 192.168.1.100 eq 3306</P><P></P><P>Of course, you can be more specific with your ACL by adding a host instead of the keyword any, i.e.</P><P></P><P>access-list DMZ_access_in extended permit tcp host 172.16.10.10 host 192.168.1.100 eq 3306</P><P></P><P></P><P>Hope this helps,</P><P></P><P>Conor</P></BODY></HTML> Fri, 06 Aug 2010 21:30:07 GMT Conor Cunningham 2010-08-06T21:30:07Z https://community.cisco.com/t5/network-security/allowing-some-ports-from-a-dmz-system-to-nondms-system/m-p/1435410#M645441 <P>I want to allow a system in the DMZ (75) access to a</P><P>database server in a higher security (100) and also still allow the server in the DMZ access to the internet from inside.</P><P></P><P>From the inside out to the internet works fine unless I change the access rules.. is there an acl that I use for this or how do I do this. The ports are from internal systems 172.16.10.10(DMZ) to 172.16 20.10(NONDMZ) and need ports 1433,5151, and some in the 14000 range. Can anyone assist me? </P> Mon, 11 Mar 2019 18:22:22 GMT https://community.cisco.com/t5/network-security/allowing-some-ports-from-a-dmz-system-to-nondms-system/m-p/1435410#M645441 pskipton01 2019-03-11T18:22:22Z https://community.cisco.com/t5/network-security/allowing-some-ports-from-a-dmz-system-to-nondms-system/m-p/1435411#M645445 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Firstly, I assume your outside interface has a security level of 0 so both the DMZ and INSIDE interfaces will be able to go outside since their security levels are higher.</P><P></P><P>To allow the DMZ to talk to a host on the INSIDE, then you must create an access-group and and access-list for the DMZ network.</P><P></P><P>Let's assume that the DB is a mysql server running on 192.168.1.100 on port 3306 and you have interfaces with DMZ and INSIDE as names.</P><P></P><P>access-group DMZ_access_in in interface DMZ</P><P>access-list DMZ_access_in extended permit tcp any host 192.168.1.100 eq 3306</P><P></P><P>Of course, you can be more specific with your ACL by adding a host instead of the keyword any, i.e.</P><P></P><P>access-list DMZ_access_in extended permit tcp host 172.16.10.10 host 192.168.1.100 eq 3306</P><P></P><P></P><P>Hope this helps,</P><P></P><P>Conor</P></BODY></HTML> Fri, 06 Aug 2010 21:30:07 GMT https://community.cisco.com/t5/network-security/allowing-some-ports-from-a-dmz-system-to-nondms-system/m-p/1435411#M645445 Conor Cunningham 2010-08-06T21:30:07Z https://community.cisco.com/t5/network-security/allowing-some-ports-from-a-dmz-system-to-nondms-system/m-p/1435412#M645450 <HTML><HEAD></HEAD><BODY><P>That should help nicly thanks</P></BODY></HTML> Fri, 06 Aug 2010 22:26:53 GMT https://community.cisco.com/t5/network-security/allowing-some-ports-from-a-dmz-system-to-nondms-system/m-p/1435412#M645450 pskipton01 2010-08-06T22:26:53Z