Solved: Is it possible to put an SQL server on DMZ

udimpas · ‎12-06-2004

Hi All,

It would like to ask regarding PIX deployment. Is it possible to put an SQL server on DMZ( or any of the 5 interfaces excluding inside interface) and just define a NAT to enable inside user access to DMZ? Also without allowing outside user's access to the SQL server. We are planning to put an SQL server on a DMZ such that unathourized inside users won't be able to know the actual address of the SQL server.

Are there any issues that needs to be consider regarding this deployment?

Thanks in advance,

udimpas

sachinraja · ‎12-06-2004

Hi Udimpas,

Yes.. your scenario is possible. You can put the SQL server on the DMZ LAN and allow access to the inside users. at the same time, you can also block access from outside.

lets say , your sql IP is 192.168.1.10 & your inside LAN is 10.1.1.0/24. you can do the following:

nat (inside) 0 access-list nonat

access-list nonat permit ip 10.1.1.0 255.255.255.0 host 192.168.1.10

by doing this, you dont nat any traffic from your inside to the sql server. In case you have any access-lists defined on your inside network, you need to open port 1433.

access-list inside permit udp 10.1.1.0 255.255.255.0 host 192.168.1.10 eq 1433

you need not add the above ACL, if u dont have any restrictions from inside, as of now.

Hope this helps.. all the best...

Raj

View solution in original post

sachinraja · ‎12-06-2004

Hi Udimpas,

Yes.. your scenario is possible. You can put the SQL server on the DMZ LAN and allow access to the inside users. at the same time, you can also block access from outside.

lets say , your sql IP is 192.168.1.10 & your inside LAN is 10.1.1.0/24. you can do the following:

nat (inside) 0 access-list nonat

access-list nonat permit ip 10.1.1.0 255.255.255.0 host 192.168.1.10

by doing this, you dont nat any traffic from your inside to the sql server. In case you have any access-lists defined on your inside network, you need to open port 1433.

access-list inside permit udp 10.1.1.0 255.255.255.0 host 192.168.1.10 eq 1433

you need not add the above ACL, if u dont have any restrictions from inside, as of now.

Hope this helps.. all the best...

Raj

udimpas · ‎12-06-2004

Hi Raj,

Thank you very much for the inputs!!

We will be deploying our PIX515E by late this month. Our PIX515E has six interfaces. Would it be possible also for our other servers to be put in these interfaces(excluding inside & outside interface) following the inputs that you have provided?

Also,do i need a router if more than one server will be put on a DMZ interface aside from a switch?

Regards,

udimpas

sachinraja · ‎12-06-2004

Hello udimpas,

yes.. of course.. you can put your servers on the DMZ ports.. DMZ port are specifically designed to put all your production servers, as it can restrict access both from inside & outside.

You do not need any router on the DMZ if you put more servers. All servers will have the default gateway as the PIX DMZ IP address and PIX will put the packets to the outiside router, if the data is destined to the internet. thats it..

you just need to make sure you open the ports on the firewall for the access between DMZ and inside.

Hope this helps.. thanks.. rate replies if found useful...

Raj

udimpas · ‎12-06-2004

Hi Raj,

Thanks again! These really clarifies my doubts.

Regards,

udimpas