Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
0
Helpful
4
Replies

Need to know correct syntax for DMZ to Lan mapping..

ewai
Level 1
Level 1

‎10-11-2004 09:16 AM - edited ‎03-09-2019 09:03 AM

Hi,

I have a Web server which is in the DMZ and needs a connection thru the LAN using ODBC port 1433. Is this possible and if so, what's the correct syntax and what entries do I need to make.

DMZ Web server IP: 192.168.1.70

LAN DB server IP: 192.168.3.40

TIA

Tom

Labels:
0 Helpful
4 Replies 4

scoclayton
Level 7
Level 7

‎10-11-2004 10:42 AM

There are multiple ways to accomplish what you are trying to do. The key is that you are going to need a translation and allow access. The easiest way to accomplish this is:

static (inside, dmz) 192.168.3.40 192.168.3.40

access-list permit tcp host 192.168.1.70 host 192.168.3.40 eq 1433

Hope this helps.

Scott

0 Helpful

ewai
Level 1
Level 1
In response to scoclayton

‎10-15-2004 08:59 AM

Thanks Scott. It works. However, now I want to test out the ODBC 1433 connection from the LAN to the DMZ, what's the correct syntax?

LAN server IP: 192.168.4.80

DMZ IP: 192.168.2.50

Thanks.

TIA

Tom

0 Helpful

rlowe26
Level 1
Level 1
In response to scoclayton

‎10-29-2004 09:49 AM

Scott,

Im basically trying to do the same thing, however, I need for my IDS 4215, which is in the DMZ, to be able to send me an email utilizing my Exchange Mail Server on the Inside network. I have tried the static entry you have here, except I put the (NETMASK 255.255.255.255 0 0) using my email server ip, but I did not add the access-list. You did not post here, but is that access-list for the (Inside) or the (DMZ)?

Another question - using that Static entry you have here with my Mail Server IP, will Translation of my Mail Server Stop?

Ron

0 Helpful

scoclayton
Level 7
Level 7
In response to rlowe26

‎10-29-2004 11:52 AM

In the example I gave, you would need to apply the access-list to the lower security interface, or in this case, the DMZ interface. By default, on a PIX, traffic from higher security interfaces is automatically allowed to hosts on lower security interfaces (e.g. internal hosts browsing out to the Internet). However, traffic from lower security interfaces destined to hosts on higher security interfaces must be explicitly permitted. Hence, why you would need an ACL entry to allow the IDS on your DMZ to talk to your Exchange server on the inside. Make sense?

Not 100% sure what you mean by the last question but I think you are asking if you add the static I suggested, will the mail server no longer be able to send packets outbound to the Internet. The answer to this is no because the static I suggested only effects traffic between the inside and DMZ interface. It has nothing to do with the static you have allowing external access to the mail server. If this is not what you are asking, please let me know.

Scott

0 Helpful
Customers Also Viewed These Support Documents