Re: limit access from DMZ to inside Database

hiepnguyen · ‎10-17-2001

I am about to build a web server and place the server on our DMZ. My question is i'm going to be creating a client access express ODBC connection to our AS/400 server on the inside(private). Is there a way I can secure this to allow only odbc requests to our inside server?? What are my options and what are the security risks?

Thanks for any input!!

almazana · ‎10-17-2001

Remember that you can control the flow of traffic in both directions. So specify the two devices explicitly in any access-list, or statis nat config with the designated port/service specified.

To garner the most out of the configuration, consideration for bi-directional traffic is key.

hiepnguyen · ‎10-17-2001

I was going to enter this. Would this ONLY allow the to access the internal ip 172.17.1.3?

static (inside,dmz) 172.17.1.3 172.17.1.3 netmask 255.255.255.255 0 0

static (dmz,outside) netmask 255.255.255.255 0 0

conduit permit tcp host 172.17.1.3 eq host

Thanks.

gbbromley · ‎10-18-2001

You can use ACLs and bind statics to certain protocols and ports using:

static (inside,dmz) 172.17.1.3 172.17.1.3 netmask 255.255.255.255 0 0

access-list acl_dmz permit tcp host DMZServerIP host 172.17.1.3 eq IPPort

access-group acl_dmz in interface dmz

In the above case the ODBC drivers may use native drivers and IP ports to connect to the AS400 (I think DB2 uses 523 TCP)