Question : cisco firewall config and multiple websites

hey all,
i have a cisco firewall that stands between two domains. i have domain A [192.168.10.x] which is the main domain and domain B [192.168.15.x] which is the "dmz" zone. domain B trusts domain A... but you wont need to know that.

i have a sql server [192.168.10.20] in domain a and a web server [192.168.15.60] on domain B that needs to talk to it through ports tcp 1434, udp 1434, tcp 3128.

now here is where it might get complicated.
the web server on domain b has a machine IP address of 192.168.15.60. but i have 4 IIS websites on this box that need to talk to the sql server in domain a. dns is working ok i can ping and see the servers and their domains regardless of which box i am using.

-------------------------------
sql server:
ip address : 192.168.10.20
member of domain a
-------------------------------
web server:
ip address : 192.168.15.60
member of domain b
website one : 192.168.15.61
website two : 192.168.15.62
website three : 192.168.15.63
website four : 192.168.15.64
-------------------------------

my question is when the webserver makes a request to the sql server does it use the website IP to go through the firewall or does it use the server's ip address of 192.168.15.60??

permit tcp host 192.168.15.60 host 192.168.10.20 eq ?? ((this is assuming the web requests use the server's ip address))

or

permit tcp host 192.168.15.61 host 192.168.10.20 eq ((this is assuming the web requests use the website's ip address))
permit tcp host 192.168.15.62 host 192.168.10.20 eq
permit tcp host 192.168.15.63 host 192.168.10.20 eq
permit tcp host 192.168.15.64 host 192.168.10.20 eq

on the firewall: what should my rules be?

please let me know.. thanks all

Answer : cisco firewall config and multiple websites

That is a good question. I don't know what the answer is. However, you can figure that out for yourself. Here's how:

Get yourself a syslog server like the Free KIWI syslog tool. Set it up on a PC then setup syslog logging to this box on the firewall.

Using:
logging on
logging timestamp
logging trap warnings
logging history errors
logging host inside

Implement just the server's Ip of 15.60 then run your tests. Look at the syslog logfile. If the 15.61 to 15.64 Ip's are being denied, the syslog will tell you. And that will give you your answer. Please post your results here, I am curious about the solution also.

Random Solutions

Help starting to use DameWare Mini Remote Control

Unable to rnew IP address

Restrict DCHP / Issue different Default Gateway to Domain Members

natting on same inside host different ports ....

Unable to remote desktop to computer

Client always locked out in AD

Any advice on sucess of Zenworks Configuration Management in a windows environment

Troubleshooting Catalyst 2950 Gigabit Interface

Connect to Nokia 8210 through Data Cable

VOIP QOS Cisco 2800 and 1800s - Metro-Ethernet