Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
380
Views
0
Helpful
2
Replies

Allowing some ports from a DMZ system to Nondms system

Go to solution
pskipton01
Level 1
Level 1

‎08-06-2010 01:57 PM - edited ‎03-11-2019 11:22 AM

I want to allow a system in the DMZ (75) access to a

database server in a higher security (100) and also still allow the server in the DMZ access to the internet from inside.

From the inside out to the internet works fine unless I change the access rules.. is there an acl that I use for this or how do I do this. The ports are from internal systems 172.16.10.10(DMZ) to 172.16 20.10(NONDMZ) and need ports 1433,5151, and some in the 14000 range. Can anyone assist me?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Conor Cunningham
Level 1
Level 1

‎08-06-2010 02:30 PM

Hi,

Firstly, I assume your outside interface has a security level of 0 so both the DMZ and INSIDE interfaces will be able to go outside since their security levels are higher.

To allow the DMZ to talk to a host on the INSIDE, then you must create an access-group and and access-list for the DMZ network.

Let's assume that the DB is a mysql server running on 192.168.1.100 on port 3306 and you have interfaces with DMZ and INSIDE as names.

access-group DMZ_access_in in interface DMZ

access-list DMZ_access_in extended permit tcp any host 192.168.1.100 eq 3306

Of course, you can be more specific with your ACL by adding a host instead of the keyword any, i.e.

access-list DMZ_access_in extended permit tcp host 172.16.10.10 host 192.168.1.100 eq 3306

Hope this helps,

Conor

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Conor Cunningham
Level 1
Level 1

‎08-06-2010 02:30 PM

Hi,

Firstly, I assume your outside interface has a security level of 0 so both the DMZ and INSIDE interfaces will be able to go outside since their security levels are higher.

To allow the DMZ to talk to a host on the INSIDE, then you must create an access-group and and access-list for the DMZ network.

Let's assume that the DB is a mysql server running on 192.168.1.100 on port 3306 and you have interfaces with DMZ and INSIDE as names.

access-group DMZ_access_in in interface DMZ

access-list DMZ_access_in extended permit tcp any host 192.168.1.100 eq 3306

Of course, you can be more specific with your ACL by adding a host instead of the keyword any, i.e.

access-list DMZ_access_in extended permit tcp host 172.16.10.10 host 192.168.1.100 eq 3306

Hope this helps,

Conor

0 Helpful

Go to solution
pskipton01
Level 1
Level 1
In response to Conor Cunningham

‎08-06-2010 03:26 PM

That should help nicly thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card