Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

515 DMZ Config on WWW server and internal access 2

Status
Not open for further replies.
glory3321

glory3321

IS-IT--Management
Aug 14, 2001
27
DE
Hi !

I am new to PIX I hope you can help me to solve my problem.

I am trying to configure PIX 515 with 6.1 ios.
Here are the following config of my network..

PIX outside IP 210.196.101.137/29
PIX inside IP 192.168.1.1 /24
PIX DMZ IP 192.168.2.1

On the DMZ port I have Web server with
IP 192.168.2.2 ( 210.196.101.141/29 assign public ip)

I have successfully configured nat on LAN so that my user on LAN can access the internet... this configuration is working and my users can access the internet.

Can you please teach me how to configure my web server on DMZ port so that inside and outside world can access it.

On inside network I have two PC 192.168.1 and 192.168.1.2 who need to access the DMZ web server to update or change something on the webserver.

on my inside network i have and SQL server with an IP 192.168.1.10. The web server on the DMZ port need to access this SQL server for database query. I want to allow or permit the communication between these two servers especialy port tcp and udp 1433 and 1434

I would apprecaite if you can assist me on this with detail configuration especailly on the DMZ config.

Thank you very much and it realy mean alot if you can assist me on this.

glory


 
Sort by date Sort by votes
HI

>> On inside network I have two PC 192.168.1 and 192.168.1.2 who need to access the DMZ web server to update or change something on the webserver

This can be solved with:
global (dmz) 1 192.168.2.100

Users from inside will need to connect to 192.168.2.2
Users from the Internet will need to connect to 210.196.101.141

==================

>> on my inside network i have and SQL server with an IP 192.168.1.10. The web server on the DMZ port need to access this SQL server for database query. I want to allow or permit the communication between these two servers especialy port tcp and udp 1433 and 1434

Here is how you can do it:

static (inside,dmz) 192.168.2.10 192.168.1.10
access-list fromdmz permit tcp host 192.168.2.2 host 192.168.2.10 eq 1433
[etc... add similar lines to permit other ports]
access-group fromdmz in interface dmz

You should note that this access-list will block outbound access INITIATED from the web server. (However it will still be able to return traffic to users from the Internet and internal users).
If you need the web server to be able to initiate outbound connections, you can add the following lines to the access list:
access-list fromdmz deny ip any 192.168.1.0 255.255.255.0
access-list fromdmz permit ip any any
[This will allow the DMZ hosts to get out to the Internet but will close all other access to inside hosts not previously permitted].
You can and should fine-tune this of course.

==================

You will also need to consider DNS name resolution for internal clients, because they might try to connect to your web server DNS name which will map to the 210.196.101.141 address which is not accessible to internal clients.
This can be solved in different ways, here are some:
* Use HOSTS file at internal clients.
* Use internal DNS server.
* Use "alias" command at the pix:

==================

You should consider using PDM - the pix web management.
This will help you manage the pix easier.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Dear yizhar,


Thanks for your help it realy help. I need to clear something about the on the DMZ port.

How can assign the DMZ IP address to its Public IP ?

IP 192.168.2.2
External 210.196.101.141

and permit outside users and inside to access the website.
I do not have internal DNS only external

thanks !

glory
 
Upvote 0 Downvote
HI.

This is basic pix configuration:

static (dmz,outside) 210.196.101.141 192.168.2.2
access-list fromoutside permit tcp any host 210.196.101.141 eq 80
access-group fromoutside in interface outside

If your web server uses SSL you will also need to open port 443 if I remember correctly.

See my previous post for internal users.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
691
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
600
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
523
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
458
Nitta84
Nitta84
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
730
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top