Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
4
Replies

MTS not passing through the PIX

bth_dad
Level 1
Level 1

‎02-26-2003 10:35 AM - edited ‎02-20-2020 10:35 PM

I recently moved an IIS web server into my firewall DMZ. One of the websites on it authenticates users against a Microsoft SQL database using Microsoft Transaction Server that is on my internal network. Actually, once it moves into the DMZ it no longer authenticates. But as soon as I move the box to the internal network it runs fine. The IIS server behaves just fne for any other process, http, ping, etc...My access list from the DMZ is allowing all IP traffic, so there is no port manipulation that I am aware of. Any Ideas?

current DMZ access list:

access-list DMZ permit ip any 10.1.0.0 255.255.0.0

access-list DMZ permit icmp any any

access-list DMZ permit ip any 10.2.0.0 255.255.0.0

Thanks

Todd

0 Helpful
4 Replies 4

dsingleterry
Level 1
Level 1

‎02-27-2003 05:32 AM

have you compared the access-lists from internal and DMZ? Is there any VPN's setup? (sometimes I think the VPN config will alter what traffic comes through and doesnt on that interface it seems)

What model of firewall do you have? a 515e? or higher?

You may have already thought of most of this, but it doesnt hurt to suggest it in case you havent. :)

Hope you get it fixed.

0 Helpful

bth_dad
Level 1
Level 1
In response to dsingleterry

‎02-27-2003 05:53 AM

I have no access-list on my internal interface and I am using a 525 running 6.2(2) and no VPN. The vendor who runs this application claims that SOME firewalls don't handle MTS correctly, but I can not find anything that says the Pix has any such problem.

Thanks for your input.

Todd

0 Helpful

chrclark
Level 1
Level 1

‎02-27-2003 05:51 AM

Do you have address translantion defined? Even if you don't want the addresses to changes from inside - DMZ, you need to define static mappings for those servers.

0 Helpful

bth_dad
Level 1
Level 1
In response to chrclark

‎02-27-2003 05:56 AM

Anything else in the DMZ works just fine, it is just this particular communication.

Here are my static statements between the DMZ and the inside interface:

static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0

static (inside,DMZ) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card