Microsoft
Software
Hardware
Network
Question : cisco firewall config and multiple websites
hey all,
i have a cisco firewall that stands between two domains. i have domain A [192.168.10.x] which is the main domain and domain B [192.168.15.x] which is the "dmz" zone. domain B trusts domain A... but you wont need to know that.
i have a sql server [192.168.10.20] in domain a and a web server [192.168.15.60] on domain B that needs to talk to it through ports tcp 1434, udp 1434, tcp 3128.
now here is where it might get complicated.
the web server on domain b has a machine IP address of 192.168.15.60. but i have 4 IIS websites on this box that need to talk to the sql server in domain a. dns is working ok i can ping and see the servers and their domains regardless of which box i am using.
--------------------------
-----
sql server:
ip address : 192.168.10.20
member of domain a
--------------------------
-----
web server:
ip address : 192.168.15.60
member of domain b
website one : 192.168.15.61
website two : 192.168.15.62
website three : 192.168.15.63
website four : 192.168.15.64
--------------------------
-----
my question is when the webserver makes a request to the sql server does it use the website IP to go through the firewall or does it use the server's ip address of 192.168.15.60??
permit tcp host 192.168.15.60 host 192.168.10.20 eq
?? ((this is assuming the web requests use the server's ip address))
or
permit tcp host 192.168.15.61 host 192.168.10.20 eq
((this is assuming the web requests use the website's ip address))
permit tcp host 192.168.15.62 host 192.168.10.20 eq
permit tcp host 192.168.15.63 host 192.168.10.20 eq
permit tcp host 192.168.15.64 host 192.168.10.20 eq
on the firewall: what should my rules be?
please let me know.. thanks all
Answer : cisco firewall config and multiple websites
That is a good question. I don't know what the answer is. However, you can figure that out for yourself. Here's how:
Get yourself a syslog server like the Free KIWI syslog tool. Set it up on a PC then setup syslog logging to this box on the firewall.
Using:
logging on
logging timestamp
logging trap warnings
logging history errors
logging host inside
Implement just the server's Ip of 15.60 then run your tests. Look at the syslog logfile. If the 15.61 to 15.64 Ip's are being denied, the syslog will tell you. And that will give you your answer. Please post your results here, I am curious about the solution also.
Random Solutions
Network installation of two Win XP Pro computers
FTP in VB6 using FtpGetFile API is not saving the file
Cannot access any microsoft web sites - SBS 2003
Exchange problems -- Email not getting to some recipients
whois, see history of domain regristrants
How hacker-safe is sending sensitive info by web-email programs?.
Internet access for LAN
how to tell if I've a wireless networking card
XP pro, two network cards, ping network ok, no internet URGENT!
Conflicker Worm Removed but Still account lockout