|
Question : cisco firewall config and multiple websites
|
|
hey all,
i have a cisco firewall that stands between two domains. i have domain A [192.168.10.x] which is the main domain and domain B [192.168.15.x] which is the "dmz" zone. domain B trusts domain A... but you wont need to know that.
i have a sql server [192.168.10.20] in domain a and a web server [192.168.15.60] on domain B that needs to talk to it through ports tcp 1434, udp 1434, tcp 3128.
now here is where it might get complicated.
the web server on domain b has a machine IP address of 192.168.15.60. but i have 4 IIS websites on this box that need to talk to the sql server in domain a. dns is working ok i can ping and see the servers and their domains regardless of which box i am using.
-------------------------------
sql server:
ip address : 192.168.10.20
member of domain a
-------------------------------
web server:
ip address : 192.168.15.60
member of domain b
website one : 192.168.15.61
website two : 192.168.15.62
website three : 192.168.15.63
website four : 192.168.15.64
-------------------------------
my question is when the webserver makes a request to the sql server does it use the website IP to go through the firewall or does it use the server's ip address of 192.168.15.60??
permit tcp host 192.168.15.60 host 192.168.10.20 eq ?? ((this is assuming the web requests use the server's ip address))
or
permit tcp host 192.168.15.61 host 192.168.10.20 eq ((this is assuming the web requests use the website's ip address))
permit tcp host 192.168.15.62 host 192.168.10.20 eq
permit tcp host 192.168.15.63 host 192.168.10.20 eq
permit tcp host 192.168.15.64 host 192.168.10.20 eq
on the firewall: what should my rules be?
please let me know.. thanks all
|
Answer : cisco firewall config and multiple websites
|
|
That is a good question. I don't know what the answer is. However, you can figure that out for yourself. Here's how:
Get yourself a syslog server like the Free KIWI syslog tool. Set it up on a PC then setup syslog logging to this box on the firewall.
Using:
logging on
logging timestamp
logging trap warnings
logging history errors
logging host inside
Implement just the server's Ip of 15.60 then run your tests. Look at the syslog logfile. If the 15.61 to 15.64 Ip's are being denied, the syslog will tell you. And that will give you your answer. Please post your results here, I am curious about the solution also.
|
|
|
|
|
