10-11-2004 09:16 AM - edited 03-09-2019 09:03 AM
Hi,
I have a Web server which is in the DMZ and needs a connection thru the LAN using ODBC port 1433. Is this possible and if so, what's the correct syntax and what entries do I need to make.
DMZ Web server IP: 192.168.1.70
LAN DB server IP: 192.168.3.40
TIA
Tom
10-11-2004 10:42 AM
There are multiple ways to accomplish what you are trying to do. The key is that you are going to need a translation and allow access. The easiest way to accomplish this is:
static (inside, dmz) 192.168.3.40 192.168.3.40
access-list
Hope this helps.
Scott
10-15-2004 08:59 AM
Thanks Scott. It works. However, now I want to test out the ODBC 1433 connection from the LAN to the DMZ, what's the correct syntax?
LAN server IP: 192.168.4.80
DMZ IP: 192.168.2.50
Thanks.
TIA
Tom
10-29-2004 09:49 AM
Scott,
Im basically trying to do the same thing, however, I need for my IDS 4215, which is in the DMZ, to be able to send me an email utilizing my Exchange Mail Server on the Inside network. I have tried the static entry you have here, except I put the (NETMASK 255.255.255.255 0 0) using my email server ip, but I did not add the access-list. You did not post here, but is that access-list for the (Inside) or the (DMZ)?
Another question - using that Static entry you have here with my Mail Server IP, will Translation of my Mail Server Stop?
Ron
10-29-2004 11:52 AM
In the example I gave, you would need to apply the access-list to the lower security interface, or in this case, the DMZ interface. By default, on a PIX, traffic from higher security interfaces is automatically allowed to hosts on lower security interfaces (e.g. internal hosts browsing out to the Internet). However, traffic from lower security interfaces destined to hosts on higher security interfaces must be explicitly permitted. Hence, why you would need an ACL entry to allow the IDS on your DMZ to talk to your Exchange server on the inside. Make sense?
Not 100% sure what you mean by the last question but I think you are asking if you add the static I suggested, will the mail server no longer be able to send packets outbound to the Internet. The answer to this is no because the static I suggested only effects traffic between the inside and DMZ interface. It has nothing to do with the static you have allowing external access to the mail server. If this is not what you are asking, please let me know.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide