Is it possible to put a server on the DMZ SQL
Hi all
He would ask about the deployment of PIX. Is it possible to put a server on DMZ SQL (or one of 5 exclusion inside the interface interfaces) and simply define a NAT to allow inside the user access to the DMZ? Also without allowing the outside user access to SQL server. We intend to set a SQL on a DMZ server, such that unathourized internal users will not be able to know the actual address of the SQL Server.
Are there problems which should be considered on this deployment?
Thanks in advance,
udimpas
Hi Udimpas,
Yes, your scenario is possible. You can put SQL Server on the DMZ network and allow access to inside users. at the same time, you can also block the access from the outside.
Let's say, your sql IP address is 192.168.1.10 & your home LAN is 10.1.1.0/24. You can do the following:
NAT (inside) 0 access-list sheep
access-list allowed sheep ip 10.1.1.0 255.255.255.0 host 192.168.1.10
by doing this, you have not nat all traffic from your inside sql server. In case you have defined everything inside your network access lists, you must open port 1433.
list of access within permit udp 10.1.1.0 255.255.255.0 host 192.168.1.10 eq 1433
You should not add the ACL above, if you have no restrictions from the inside, from now.
I hope this helps... all the best...
REDA
Tags: Cisco Security
Similar Questions
-
Best way to lock a security server in the DMZ
Hello
Are there best practices or recommendations of VMware for the locking of a security server in the DMZ?
Any suggestions are welcome.
THX,
-sf
There is a Project Server View of Security hardening guide referenced here - http://communities.vmware.com/thread/300885
Mark
-
Is it possible to put an image in the preview before printing a pivot or a chart?
Hello
IM wondering if it is possible to put the image in the footer or the position or any where in the area to preview before printing or any other place I can easly design print my pivot chart or something else? There is no graphics available in the items section.
Kind regards
PawelNo, it is not possible.
Place the pivot or the table in the Section of report
-
ISA server in the DMZ Cisco Firewall box
Hi all
I have an ISA Server that is behind the firewall, and it is connected to the Internet with the command: static public static (inside, outside) 192.x.x.x 10.x.x.x dns netmask 255.255.255.255 0 0 in my firewall. Is it possible to add the server to a DMZ Firewall at the same time with the command: static (dmz, outside) 192.x.x.x 10.y.y.y netmask 255.255.255.255 0 0? I appreciate for any help.
Hello
It is necessary for your server, or on both segments and this is possible only if your server has 2 network cards, but why would you choose to deploy it?
-
second Web server on the DMZ not visible outside
With the help of a PIX 515e
I have several Web servers in the DMZ, the first web server and the mail server are set up with the port mapping for the PIX outside IP address of the interface.
The second and third (inside interface) of the Web servers are configured with static mappings and access lists.
I can see the first n the mail very good server webserver, but I can not see servers in second or third.
What have I done wrong?
I suggest you analysze traffic with the command to 'capture' PIX and sniff traffic on the DMZ and outside traffic.
Check if packets arrive to the external interface, if it reaches the web server and is at - it a response.
example of
IP access-list 120 allow any HOST 207.236.60.35
capture the access-list 120 vpncap OUTSIDE interface
See the access-list 120 retail vpncap capture
or
https://PIX-IP-address/capture/vpncap [/pcap]
To remove the capture:
No vpncap capture
sincerely
Patrick
-
Cannot access the Web server in the DMZ from the inside using IP global
Hi all
I hope it's a very simple question.
I'm running a PIX 515 firewall v6.3. I set up a Web server in my DMZ and use static NAT for re-branded it overall static IP address. Access from the outside of the demilitarized zone works remarkably well. I can access inside the interface Web site using the internal IP, but I can't access it from inside interface using the global IP are entrusted to him.
Is there a particular reason why this would not be allowed? My feeling was that the request would be forwarded via the external interface (as it is a global IP address) and then be bounced back by my sense of the ISP the request would come to the new external interface (as the static NAT is applied to the external interface).
However if I try and access the global IP from my inside interface, then the browser can not find the server.
can someone explain why this is so? Any information would be appreciated.
see you soon,
Wayne
---------------------------------
6.3 (3) version PIX
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif dmz security50 ethernet2
hostname helmsdeep
domain p2h.com.sg
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
no correction protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
No fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
acl_out list access permit tcp any host 203.169.113.110 eq www
access-list 90 allow the host tcp 10.1.1.27 all
pager lines 24
debug logging in buffered memory
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
IP address outside pppoe setroute
IP address inside 192.168.1.1 255.255.255.0
dmz 10.1.1.1 IP address 255.255.255.0
no failover
failover timeout 0:00:00
failover poll 15
No IP failover outdoors
No IP failover inside
no failover ip address dmz
location of PDM 202.164.169.42 255.255.255.255 inside
location of PDM 202.164.169.42 255.255.255.255 dmz
location of PDM 10.1.1.26 255.255.255.255 dmz
location of PDM 10.1.1.26 255.255.255.255 outside
location of PDM 172.16.16.20 255.255.255.255 outside
location of PDM 192.168.1.222 255.255.255.255 inside
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
Global (dmz) 1 10.1.1.101 - 10.1.1.125
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
NAT (dmz) 0-list of access 90
NAT (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz, external) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0
Access-group acl_out in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.1.222 255.255.255.255 inside
enable floodguard
string fragment 1
Console timeout 0
Terminal width 80
Code v6 pix or less don't let you have traffic "back" or return flow via the same interface on which it was sent. Having also your bounce back off of an external server traffic is never a good idea, because you won't be able to distinguish which and rogue attacks by spoofing someone outside your network.
Since you are using pix 6.3 code, you may be able to outside the NAT. Add this static to your config:
static (dmz, upside down) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0
You may need to run a clear xlate after adding the new static statement. Note that the interfaces: it's demilitarized zone, inside inside, dmz.
I would like to know if it works.
-
Is it possible to put a picture on the homepage design Solutions?
Hello
We build a PRM system and we want to spice up our application. We have added a photo on the home page by creating a world wide Web Applet, but it doesn't seem to be a feature in the other tabs. Since the Solutions tab is a tab that serves more partners we (also) want to place a photo on this homepage. Does anyone know if this is possible and if so, how?
I hope you guys can help!
Thanks in advance
Welcome them
VincentHi, go to the Admin-> Application-> Solution customization-> Applet Web Solution-> New (with location as 'HomePage') to place the image in the homepage of solution
-John CRMIT
-
Is it possible to put a picture of the poster
Is there a way to set an image of the poster in PP? I would like to choose what viewers see before the game click of a button.
Nope not possible.
-
Is it possible to put different movieclips in the same table?
Hello. I have two different balls movieclips. I want to put the two in the table with a single bullet, but it seems that all the second movieclip instances are not controlled by bullet_ary [i]
Yes, you can add more than one:
var mcA:Arrray = [];
for (var i: int = 0; i<>
mcA.push (new MovieClip());}
-
Is it possible to put my tabs at the bottom of the browser?
I use Firefox with me SMART Board in my class. I have all the SMART Tech Tools at the bottom of the map and it would be very useful to have the tabs in the browser at the bottom of the screen as well (not covered by the address bar - all the way to the bottom of the screen).
Hello Science_Teacher_Smith, try the Tree Style Tab add-on.
Thank you
-
Lines/lines of the Inbox have been alternating... normal background color, then color, then normal, then color. Like the OLD fan paper feed bar background color each lines 5 or 10 alternating... Makes it easy for us old people follow along a line if info and keep drifting upward or down a line.
You can probably pick up a theme of appearance that made it, but I quickly found another way to do this.
Create or edit a userChrome.css file.
First find your Thunderbird profile folder: Thunderbird Menu: help: troubleshooting information
Under the request of base, next to the profile folder, click on the view file"" button.
A Windows Explorer window will open to your Thunderbird profiles folder.
Is there a folder there called "chrome"? If this isn't the case, create a.
If there is already a file called userChrome.css, good. If not, then right click on an open area where the list of the files and choose new and the Notepad document. Type the name of the userChrome.css file. Case of text is important here, so the 'C' should be capitalized, but not the rest.
Open the userChrome.css file in Notepad (or another text editor) and placed in the file to the following:
#threadTree treechildren::-moz-tree-row(odd) { -moz-appearance: none !important; background-color: rgb(232,232,232) !important; }
Save the file and close Notepad.
Restart Thunderbird.
Now you'll see alternating lines in your records, white and light grey.
-
Is it possible to put an icon on the device for quick search android?
As above.
If you speak an option in an Adobe mobile application, name the app so your messages can be moved in the right forum
If you are talking about the Android operating system, you will need to find an appropriate forum (which is not Adobe)
-
ESXi Server and the DMZ security
Hello world
I currently have around 5 physical web servers sitting in a demilitarized zone. My plan is to convert all these web servers to virtual machines and host them on an ESXi server.
I would like to host the ESXi Server actually in the demilitarized zone, all the VMs on the ESXi box would be public facing anyway. Does anyone know of a good reason not to do from a security point of view.
I guess my main concern would be the area of ESXi being threaten. Of course, I would limit the traffic through the firewall rules.
I would like to know your opinion on this and if someone has done this before?
Thank you very much
Chris
Take a look on:
http://www.VMware.com/files/PDF/dmz_virtualization_vmware_infra_wp.PDF
-
I can't do a server of the Mac mini 2015?
It is possible to make a server in the Mac mini 2015?
I ' v to buy Mac mini 2015 and I do not have you are so much and then I had an idea to do a server, but I don't know if it will work.
Then I can make a server or I need to buy Mac mini Server (2012)?
But Apple has stopped selling Mac mini server (2012)
And I bought OS X Server application and desktop remotely.
Thanks for reading.
This will work, but you must buy and install OS X Server for El Capitan. Get on the App Store.
-
PIX with H &; S VPN DMZ hosting web server to the hub
Ok
Heres a problem which I think would be quite common for these even remotely conscious of security. Unfortunately, my knowledge of the PIX (as well as other Cisco devices) is still in phase of 'growth '.
So, here's the problem. I have a WAN put in place with PIXen and SonicWalls, we are set up in a design essentially Hub and Spoke (fine ok so it is partially meshed). We recently decided to pull the trigger on getting a 'real' web site and everything went relatively well that getting up and rolling. (even with my notice of 3 days/deadline), but here's the problem: I set up the web server on the DMZ to the hub pix, and I figured out (the easy part) how to set things so in the Home Office, people can connect to the web server by using the internal address, but I don't know what to do for people in remote offices with VPN home connections. I tried to define static routes, I tried to add the DMZ to the VPN trigger, I tried to do both of the last things together, and I checked that I have rules allowing traffic to the VPN outside the DMZ on the inside. So, what else can I I get?
I have no problem by configuring a PIX for all basic ups and VPN even at this stage, I can do most of it through the CLI (even if I still want to do more through the PDM). My biggest stumbling block on the PIX has so far was when I actually involve this pesky DMZ...
I actually two PIX in my office, two for my network domestic (one for my place in the States and one for my place in the Japan), so if you can help me, I'll be the two problems and do not forget to give a rating of excellent reviews!
so I guess that leaves me to the place where I scream...
Help!
and I humbly await your comments.
the current pix configuration should look at sth like this,
IP access-list 101 permit
IP access-list 110 permit
Global 1 interface (outside)
(Inside) NAT 0-list of access 101
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac superset
myvpn 10 ipsec-isakmp crypto map
correspondence address card crypto myvpn 10 110
card crypto myvpn 10 set by peer
superset of myvpn 10 transform-set card crypto
interface myvpn card crypto outside
ISAKMP allows outside
ISAKMP key
address netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
now, to add dmz on top of the existing vpn, add the following to the pix (and apply the same concept on the remote end device)
access-list 102 permit ip
access-list 110 permit ip
nat (dmz) 0 access-list 102
Maybe you are looking for
-
Unplug the apple TV apple tv 3 remote control 4
Hello I hope that someone in the community can help me. I have 2 apple TVs in the House-3rd and 4th gen gen. They are in the same room. If I use the remote 4th gen, all right, the remote control is not to influence the old apple tv. But the reverse d
-
BDP-S580 how to enter WPA key caps?
I am trying to enter uppercase letters for the WPA key on my remote control, but I can't understand how to move from lower case to upper case. Any suggestions? Thank you
-
Confused about the removal of the photo
I have my photos synchronized so when I get one on my phone, it shows up on my mac and everything is also saved in the cloud. My question is when I want to delete only one way I do is delete it from my phone, and then also remove from my mac. What I
-
Hello I want to count the number of times that that an event occurs, and using this indictment I've reproduced the data I need. In other words, the counter is used a variable 'intermediate '. How to add and initialize a variable without having to add
-
Add Spanish speech recognition
Speech recognition system I'm trying to get Spanish charge as an option in my speech recognition program. I bought the Spanish Office add-in, but I'm lost as to how to download this as an option.