Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
442
Views
7
Helpful
3
Replies

PIX 525 in between a Web Server and a DB server configurations

ewai
Level 1
Level 1

‎01-07-2005 04:15 PM - edited ‎02-20-2020 11:51 PM

Hi everyone,

I'm planning to put a PIX 525 between our Web Server and a Database server. Let's assume the Web Server has IP of 192.168.3.5 (netmask 255.255.255.0) and the DB server has IP of 192.168.2.6 (netmask 255.255.255.0). The port I'm going to use is Port 1433. What kind of settings in the FW and command lines do I need in order to let the Web Server connect thru the FW using 1433 to the DB server?

Any configurations examples you may provide is greatly appreciated.

TIA

Tom

0 Helpful
3 Replies 3

sachinraja
Level 9
Level 9

‎01-08-2005 12:53 AM

Hi tom,

lets assume that your webserver is in the inside segment & the database server on ur DMZ. You can do the following:

static (inside,dmz) 192.168.3.5 192.168.3.5 netmask 255.255.255.255

access-list dmz_acl permit tcp host 192.168.2.6 host 192.168.3.5 eq 1433

access-group dmz_acl in interface dmz

In case you have any access-list on the inside, just add this line:

access-list inside permit ip host 192.168.3.5 host 192.168.2.6

You can also try doing a NONAT instead of the static given above:

nat (inside) 0 access-list nonat

access-list nonat permit ip host 192.168.3.5 host 192.168.2.6

hope this helps.. rate replies if found useful.. all the best..

Raj

ewai
Level 1
Level 1
In response to sachinraja

‎01-10-2005 09:51 AM

Hi Raj,

Thanks for the info. In your example, you assume the Web server is the Inside segment. If my FW has the Outside, Inside, DMZ segments, can I use the Outside segment for the Web server? What is the preferred or de facto way of doing this? Can you tell me what is the best way of putting what servers in what segments? Right now, I assume your example is the best way.

To give you a better picture, the purpose of this FW is to protect the DB server. I will only let the ODBC traffic thru. I already have an Internet FW that's protecting the Web servers.

TIA

Tom

0 Helpful

sachinraja
Level 9
Level 9
In response to ewai

‎01-10-2005 09:35 PM

Hi Tom,

dont think of putting any servers on the outside segment. There will be absolutely no security if you put it on the outside segment. it is exposed to the internet.

You can either put the server on the inside or the DMZ. I would recommend putting all the critical servers on the DMZ, just because, the servers can be protected both from inside & outside networks. this is the most secured way of doint it.

consider,the server on the inside. You have all the users on the LAN, who can knowingly/unknowingly attack the server. there are no restrictions here,unless you have a layer 3 switch, which can filter packets...

So, put your DB server & webserver on the DMZ interface to have the maximum security.

hope this helps. rate replies if found useful

Raj

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card