Webserver in DMZ Accessing SQL DB on Inside

PE-PatInBC · ‎04-29-2005

I have searched but cannot find anything clear on how to access a SQL Server DB on the inside interface from a Webserver in the DMZ. I believe that there needs to be an Access-Group for the access-list to bind the interface, and an access-list. I found the following article from Microsoft but it's fairly general.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q287932

Currently when I try to run the web app I am getting the following:

-----------------------------------------------------

2005-04-21 13:50:50 Local4.Critical 192.168.10.100 Apr 21 2005 12:48:32: %PIX-2-106001: Inbound TCP connection denied from 192.168.20.101/3454 to 192.168.10.20/445 flags SYN on interface DMZ

-----------------------------------------------------

I want to do this in the most secure way that is possible.

Any thoughts would be appreciated.

Patrick Iseli · ‎04-29-2005

Should be something like this:

DMZ host is: 192.168.20.101

Inside host is: 192.168.10.20

I suppose SQL Port is TCP/1433 if not just replace it with the right port.

Sees that TCP 445 is need also

# Permits access from the DMZ host 192.168.20.101 to inside host 192.168.10.20 on port 1433 and 445. All other traffic from the DMZ outgoing will be blocked. This does not affect traffic comming from the outside interface (Internet) to the DMZ !

access-list dmz permit tcp host 192.168.20.101 host 192.168.10.20 eq 1433

access-list dmz permit tcp host 192.168.20.101 host 192.168.10.20 eq 445

access-group dmz in interface dmz

# Syntax to disable NAT between DMZ and insdie Interface

# static (inside,dmz) InsideNet InsideNet netmask InsideSubnetMask 0 0

static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

# This command will resets all transaltions, take care during working hours. But this is needed to apply static changes !

Clear xlate

sincerely

Patrick