Depends on what sort of data you are trying to pass from the internal
network to the DMZ network. If you are using M$ SQL on the inside and M$ IIS
in the DMZ, you are using DCOM to make calls between the two. To properly
set up that scenario, look at the Microsoft whitepaper on Using DCOM with
firewalls (http://www.microsoft.com/com/wpaper/dcomfw.asp). This paper does
a good job describing the sorts of traffic that DCOM needs. If you try to
tackle this purely via sniffer, you might be frustrated by the fact that
DCOM/RPC needs to use a range of random ports. By default, the range of
random ports is 1024 to 65k+, but there are registry entries you can use to
narrow that range to something more reasonable. Microsoft says that their
solution, allowing RPC traffic between internal and DMZ, does not work if
NATting is going on between the internal and the DMZ. Most of the time, in
my experience, NATting is only done from the external network to DMZ and
internal, not between internal and DMZ.
Your conduit statement might want to say something more like (doublecheck
syntax):
conduit permit tcp host dmz-web-server eq 135 internal-data-server
conduit permit udp host dmz-web-server eq 135 internal-data-server
conduit permit tcp host dmz-web-server range 38000 38999
internal-data-server
If you are using some sort of Unix derivative, you may just need to pass the
SQLNet protocol between the two servers.
Dave Shackelford
Network Engineer
IRSC / DBT Online / ChoicePoint
-----Original Message-----
From: Rob Serfozo [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 12, 2000 10:23 AM
To: Firewalls LIST
Subject: PIX DMZ questions
We have a webserver set up on dmz and a server on the inside. The dmz
server needs to pass data to the inside server. I have set up the following
statements in our Pix config.
static (inside,dmz1) 192.168.1.2 223.100.200.1 netmask 255.255.255.255 0 0
conduit permit tcp host 192.168.1.2 any
The firewall seems to be working well. You can access the internet from
both the inside and dmz. Any advice.
Thanks,
Rob
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
