Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
288
Views
5
Helpful
1
Replies

Help to a PIX 525 design

phiz.petry
Level 1
Level 1

‎05-18-2005 02:30 PM - edited ‎02-21-2020 12:09 AM

Hello,

I prepare to configure a PIX 525 with 3 interfaces.

It will have a Webserver on the DMZ.

The Webserver must communicate with a SQL Server located in the inside network.

Here is my questions :

1) to autorize traffic between the DMZ and the Inside, i consider using the follwing command

nat (inside) 1 0 0

global (dmz) 1 192.168.1.1 (using PAT)

static (inside,dmz) 192.168.1.200 192.168.100.1 netmask 255.255.255.255 (and 192.168.100.1 is my SQL server located in the inside network)

access-list dmz_access_in permit ip host 192.168.1.50 host 192.168.1.200 ( 192.168.1.50 is my Webserver)

access-group dmz_access_in in interface dmz

Is my configuration OK ? , I cannot found a same example on Cisco Site. All example use this command

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

I don't understand this command, it seem to be not secure.

2) With my access list i autorize the access to all the SQL Server.

How can i view wich port is using when the Webserver is communicating with the SQL Server ?

Must i use a sniffer or PIX Debug ?

3) Is there really significant to filter the ports of the DMZ towards the Inside

Thanks for your help

0 Helpful
1 Reply 1

sachinraja
Level 9
Level 9

‎05-19-2005 02:18 AM

Hello ,

There are a couple of ways by which you can make DMZ's and inside subnet interact:

1) doing a nonat (or static on same IP), so that, the DMZ sees the inside server with its original IP. There is no potential risk in this, as you are anyway going to allow only the required ports.

2) doing a nat to the DMZ subnet, as you have done.

Both of these should work. This is done only to know the IP of your inside server.

so static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

specifies that any PC/server going out from inside to DMZ will not be natted and the DMZ subnet will see the PC with its original IP adddress.

2) ya.. use a sniffer.. thats the best way of doing it.. download something like etherreal and you can easily see which ports the server is talking to. you can then open appropriate ports on the PIX to allow communication.

3) normally all traffic from DMZ to inside is denied.. (according to adaptive security algorithm). So, you must allow ports explicitely for communication from DMZ to inside, which means you need to filter ports...

Hope this helps.. all the best..

Raj

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card