Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX DMZ Question

outside

|

PIX --inside - database server

|

DMZ

|

Web Server

I can't get the Web Server to communicate with the database server. I can http to the web server from inside,outside. I can http from DMZ to outside. Any ideas?

6 REPLIES
New Member

Re: PIX DMZ Question

Default for lower security (DMZ) to access higher security area (inside) is drop all traffic.

One possible solution is to add a conduit command to permit access from web-server to the database-server.

HTH

New Member

Re: PIX DMZ Question

Here is what I have for access list.

access-list inside_access_in permit ip any host 192.168.254.100(webserver)

access-group inside_access_in in interface inside

New Member

Re: PIX DMZ Question

Could it be that I have nat setup wrong?

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

Thanks.

New Member

Re: PIX DMZ Question

For the www server to be able to communicate with the database server you have to have a static translation and an access-list (or conduit) configured on the PIX. Assuming that your DMZ network is 192.168.1.0/24 (with 192.168.1.1 for the www server and 192.168.1.100 available) and your database server IP address 10.1.1.1 you need to setup the following config:

static (inside,dmz) 192.168.1.100 10.1.1.1 netmask 255.255.255.255

access-list dmz permit ip host 192.168.1.1 host 192.168.1.100 (or more restrictive)

access-group dmz in interface dmz

Success!!

New Member

Re: PIX DMZ Question

I figured out what was going wrong. I would setup an ip address for the inside interface and it would put a route in on the inside to point to the inside interface on the PIX. So i removed the ip address and put in the static route to point to the inside router. I then put the ip address back in the inside address to the correct ip and bang! it worked.

New Member

Re: PIX DMZ Question

Dear all,

I have the same problem as mbettis. I put Web server and Mail server at DMZ and DB server at inside. One DNS for outside and one DNS for inside. Mail and Web service are no problem with inside to outside or outside into inside, but the Web server can't access the inside DB server.

My Pix : 515R v5.3

Web Server : 10.1.1.1

DMZ Interface : 10.1.1.11

DB Server : 172.16.1.1

DB Server gateway : 172.16.1.11

Inside Interface : 172.16.1.11

As rrbleeker mentioned, I setup the following config:

static (inside,dmz) 10.1.1.2 172.16.1.11 netmask 255.255.255.255

access-list dmz permit tcp any any

access-list dmz permit ip any any

access-list dmz permit icmp any any

access-group dmz in interface dmz

I opened all security between dmz and inside, there has no help about access to DB server. Would some one experts help me to solve this problem?

129
Views
0
Helpful
6
Replies
CreatePlease to create content