DMZ webserver need to access internal SQL server

[glory3321]

Hello !,

I have PIX 515 one of the DMZ port a web server is connected which has an ip of 201.196.101.137

Inside my internal network there is SQL server.

I need to permit the WEB server to connect to Internal Network SQL server only with TCP/UDP 1433 and TCP/UDP 1434 port only.

I would appreaciate if you can give me a step by step command.

Thanks !

 

[Stoker]

Because you are going from a higher security zone to a lower one you must use static routes.

I myself had similar problems when I first started using the PIX with a DMZ network but I managed to get around it using the following commands, I'm not sure it will work for your configuration but it resolved my issue, hope it helps.

Inside SQL Server Address: 192.168.0.1
DMZ Web Server: 201.196.101.137

static (inside,dmz) 192.168.0.1 192.168.0.1 netmask 255.255.255.255 0 0
conduit permit tcp host 192.168.0.1 eq 1433 host 201.196.101.137
conduit permit udp host 192.168.0.1 eq 1433 host 201.196.101.137
conduit permit tcp host 192.168.0.1 eq 1434 host 201.196.101.137
conduit permit udp host 192.168.0.1 eq 1434 host 201.196.101.137

Although I said I had a similar problem it was not SQL I was trying to connect to, so as long as the ports you specified are correct this may help you.

Good luck.

 

[invisimail]

Just a ote for your comms from IIS in DMZ to SQL in internal network, the ports you are connecting on, yes you can initiate the comms on 1433, BUT the return is at the dicretion of the SQL server, if you limit it to one port, then will have a timed delay, whilst it randomly searches all ports (normally around 5 sec)
There is a microsoft article for this...

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q287932

Hope this helps I don't suffer from stress, I'm just a carrier.....