I recently moved an IIS web server into my firewall DMZ. One of the websites on it authenticates users against a Microsoft SQL database using Microsoft Transaction Server that is on my internal network. Actually, once it moves into the DMZ it no longer authenticates. But as soon as I move the box to the internal network it runs fine. The IIS server behaves just fne for any other process, http, ping, etc...My access list from the DMZ is allowing all IP traffic, so there is no port manipulation that I am aware of. Any Ideas?
current DMZ access list:
access-list DMZ permit ip any 10.1.0.0 255.255.0.0
access-list DMZ permit icmp any any
access-list DMZ permit ip any 10.2.0.0 255.255.0.0
have you compared the access-lists from internal and DMZ? Is there any VPN's setup? (sometimes I think the VPN config will alter what traffic comes through and doesnt on that interface it seems)
What model of firewall do you have? a 515e? or higher?
You may have already thought of most of this, but it doesnt hurt to suggest it in case you havent. :)
Hope you get it fixed.
I have no access-list on my internal interface and I am using a 525 running 6.2(2) and no VPN. The vendor who runs this application claims that SOME firewalls don't handle MTS correctly, but I can not find anything that says the Pix has any such problem.
Thanks for your input.
Do you have address translantion defined? Even if you don't want the addresses to changes from inside - DMZ, you need to define static mappings for those servers.
Anything else in the DMZ works just fine, it is just this particular communication.
Here are my static statements between the DMZ and the inside interface:
static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0