08-06-2010 01:57 PM - edited 03-11-2019 11:22 AM
I want to allow a system in the DMZ (75) access to a
database server in a higher security (100) and also still allow the server in the DMZ access to the internet from inside.
From the inside out to the internet works fine unless I change the access rules.. is there an acl that I use for this or how do I do this. The ports are from internal systems 172.16.10.10(DMZ) to 172.16 20.10(NONDMZ) and need ports 1433,5151, and some in the 14000 range. Can anyone assist me?
Solved! Go to Solution.
08-06-2010 02:30 PM
Hi,
Firstly, I assume your outside interface has a security level of 0 so both the DMZ and INSIDE interfaces will be able to go outside since their security levels are higher.
To allow the DMZ to talk to a host on the INSIDE, then you must create an access-group and and access-list for the DMZ network.
Let's assume that the DB is a mysql server running on 192.168.1.100 on port 3306 and you have interfaces with DMZ and INSIDE as names.
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit tcp any host 192.168.1.100 eq 3306
Of course, you can be more specific with your ACL by adding a host instead of the keyword any, i.e.
access-list DMZ_access_in extended permit tcp host 172.16.10.10 host 192.168.1.100 eq 3306
Hope this helps,
Conor
08-06-2010 02:30 PM
Hi,
Firstly, I assume your outside interface has a security level of 0 so both the DMZ and INSIDE interfaces will be able to go outside since their security levels are higher.
To allow the DMZ to talk to a host on the INSIDE, then you must create an access-group and and access-list for the DMZ network.
Let's assume that the DB is a mysql server running on 192.168.1.100 on port 3306 and you have interfaces with DMZ and INSIDE as names.
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit tcp any host 192.168.1.100 eq 3306
Of course, you can be more specific with your ACL by adding a host instead of the keyword any, i.e.
access-list DMZ_access_in extended permit tcp host 172.16.10.10 host 192.168.1.100 eq 3306
Hope this helps,
Conor
08-06-2010 03:26 PM
That should help nicly thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: