Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1891
Views
0
Helpful
6
Replies

PIX DMZ Question

mbettis
Level 1
Level 1

‎10-15-2001 03:27 PM - edited ‎02-20-2020 09:52 PM

outside

|

PIX --inside - database server

|

DMZ

|

Web Server

I can't get the Web Server to communicate with the database server. I can http to the web server from inside,outside. I can http from DMZ to outside. Any ideas?

0 Helpful
6 Replies 6

engel
Level 2
Level 2

‎10-16-2001 12:49 AM

Default for lower security (DMZ) to access higher security area (inside) is drop all traffic.

One possible solution is to add a conduit command to permit access from web-server to the database-server.

HTH

0 Helpful

mbettis
Level 1
Level 1
In response to engel

‎10-16-2001 09:11 AM

Here is what I have for access list.

access-list inside_access_in permit ip any host 192.168.254.100(webserver)

access-group inside_access_in in interface inside

0 Helpful

mbettis
Level 1
Level 1
In response to mbettis

‎10-16-2001 09:16 AM

Could it be that I have nat setup wrong?

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

Thanks.

0 Helpful

rrbleeker
Level 1
Level 1
In response to mbettis

‎10-17-2001 08:03 AM

For the www server to be able to communicate with the database server you have to have a static translation and an access-list (or conduit) configured on the PIX. Assuming that your DMZ network is 192.168.1.0/24 (with 192.168.1.1 for the www server and 192.168.1.100 available) and your database server IP address 10.1.1.1 you need to setup the following config:

static (inside,dmz) 192.168.1.100 10.1.1.1 netmask 255.255.255.255

access-list dmz permit ip host 192.168.1.1 host 192.168.1.100 (or more restrictive)

access-group dmz in interface dmz

Success!!

0 Helpful

mbettis
Level 1
Level 1
In response to rrbleeker

‎10-18-2001 06:37 AM

I figured out what was going wrong. I would setup an ip address for the inside interface and it would put a route in on the inside to point to the inside interface on the PIX. So i removed the ip address and put in the static route to point to the inside router. I then put the ip address back in the inside address to the correct ip and bang! it worked.

0 Helpful

daviswu
Level 1
Level 1
In response to mbettis

‎10-18-2001 08:25 PM

Dear all,

I have the same problem as mbettis. I put Web server and Mail server at DMZ and DB server at inside. One DNS for outside and one DNS for inside. Mail and Web service are no problem with inside to outside or outside into inside, but the Web server can't access the inside DB server.

My Pix : 515R v5.3

Web Server : 10.1.1.1

DMZ Interface : 10.1.1.11

DB Server : 172.16.1.1

DB Server gateway : 172.16.1.11

Inside Interface : 172.16.1.11

As rrbleeker mentioned, I setup the following config:

static (inside,dmz) 10.1.1.2 172.16.1.11 netmask 255.255.255.255

access-list dmz permit tcp any any

access-list dmz permit ip any any

access-list dmz permit icmp any any

access-group dmz in interface dmz

I opened all security between dmz and inside, there has no help about access to DB server. Would some one experts help me to solve this problem?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card