2nd answer to the problem,
Just because ICMP works, doesn't necessarily mean TCP is working, and TCP port 1433 is the ticket for MS web and MS SQL to work. That said, let's consider for a moment that your NAT and access lists are configured to pass all traffic on all ports. If that is the case then your problem isn't a firewall issue. Microsoft products default to NetBios/WINS for resolution, neither of which is particularly NAT savvy. Have you looked at the configuration on the MS web server to see where it is looking for it's SQL server? If it is looking for a NetBios name and you do not have NetBios/WINS properly configured on your DMZ it is not going to work. The simplest fix to the above situation is to change the default setting and point the web server to the NAT'ed address of the SQL server. The more involved fix would be to get NetBios/WINS working on your DMZ. Whether or not that is worth the trouble depends on you requirements. Glenn -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Marc Sahr Sent: Tuesday, January 29, 2002 10:48 AM To: [EMAIL PROTECTED] Subject: SQL and web across the PIX 2nd go-round of this problem: I still can't get my web server and my SQL server to communicate successfully (ie login to the SQL database application from the browser window) through the PIX. To reiterate the scenario: My MS IIS 5 web server is located on the DMZ, my SQL 2000 server is located on the inside interface, and the clients are on the outside interface. All servers and clients are W2K/SP2. All servers are latest service pack for their respective platforms. Clients can see the website as a static-translated IP address through the PIX. They can't log on to the SQL application (error message is MS-speak for "can't find database"). All ports are allowed access through ACLs on the PIX bidirectionally through the PIX. Remember this is a test envionment so that's OK. All protocols are allowed access as above. All hosts can ping each other, their interfaces, etc. ICMP is allowed in the config. So, I ask again: Any ideas? TIA, Marc Sahr Network Administrator [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
