Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
616
Views
0
Helpful
2
Replies

DMZ web server --> inside database server

otnj2ee
Level 1
Level 1

‎11-08-2005 05:03 PM

Assume a network topology is like this:

A PIX with 3 interfaces:

<inside> interface (private static IP of 10.10.10.1)

<outside> interface (public static IP of 69.110.38.35)

<DMZ> interface (private static IP of 30.30.30.1)

--------------------------------------------

The internal network has a {database server} with the IP of 10.10.10.2.

The DMZ has a {web server} with the IP of 30.30.30.2.

I'll allow any external (outside) hosts to access the web server (30.30.30.2) via port 80.

This web server will, in turn, access the database server (10.10.10.2).

Assume all the other commands are issued. Next, I'll create an access-list that permits DMZ WWW Server to communicate with inside Database server.

access-list dmz-to-inside permit tcp host 30.30.30.2 host 10.10.10.2 eq 1521

Do I need to issue the following, too:

1)access-list dmz permit tcp host 30.30.30.2 any eq 80

2)access-group dmz in interface dmz

3)static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

4)clear xlate

If so, what are each of them doing?

Thanks to help.

Scott

Labels:
0 Helpful
2 Replies 2

hvm
Level 1
Level 1

‎12-08-2005 11:15 AM

Scott,

You must make first the connection on outside to dmz like:

access-list outside permit tcp any host 30.30.30.2 eq 80

and make connection on dmz to inside like this:

access-list dmz permit tcp host 30.30.30.2 host 10.10.10.2 eq 1521

the static is correct and clear xlate too.

se yaa

0 Helpful

tkropp
Level 1
Level 1

‎12-12-2005 10:08 AM

Users need to get to Web Server:

1) Create a static xlate for the web server

static (dmz3,outside) 69.110.38.xx 30.30.30.2 netmask 255.255.255.255

2) as mentioned, you must allow outside users to access the webserver:

access-list outside permit tcp any host 69.110.38.xx eq 80

3) you do not need an acl on the dmz int, unless you want to allow icmp replies or outbound connections initiated from the server (not suggested)

4) your access-list and static are correct for the Db connection.

!============

Config:

! --- add acl inside if you want to have add'l

! --- security. but

! --- unsure of your other traffic going out (users)

! --- assume that 1521 is for a named SQL instance.

! --- and you don't need 1434 and 1433

!

access-list inside permit tcp host 10.10.10.2 eq 1521 host 30.30.30.2

!

access-list outside permit tcp any host 69.110.38.xx eq 80

!

!--- create translations

!

static (inside,dmz) 10.10.10.0 10.10.10.0 netmask /24

!

static (dmz,outside) 69.110.38.xx 30.30.30.2 netmask /32

!

access-group outside in interface outside

access-group inside in interface inside

!============================

- Tim

0 Helpful
Customers Also Viewed These Support Documents