It should be route if you want to use an Access Rule, but you should just bag the DMZ -->SQL Network Rule. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > Sent: Tuesday, July 11, 2006 7:29 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: [ISAServer] DMZ to SQL > > It's NAT. Source DMZ. Destination SQL server. Should it be route? > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Tuesday, July 11, 2006 8:26 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: [ISAServer] DMZ to SQL > > Hi Amy, > > Is the Network Rule set for Route or NAT between the DMZ and the > Internal Network? > > Thanks! > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > > -----Original Message----- > > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > > Sent: Tuesday, July 11, 2006 7:23 PM > > To: isaserver@xxxxxxxxxxxxxxx > > Subject: RE: [ISAServer] DMZ to SQL > > > > Original Client IP Client Agent Authenticated Client Service > > Server Name Referring Server Destination Host Name > > Transport MIME Type Object Source Source Proxy > > Destination Proxy Bidirectional Client Host Name Filter > > Information Network Interface Raw IP Header Raw Payload > > Source Port Processing Time Bytes Sent Bytes Received Result > > Code HTTP Status Code Cache Information Error > > Information Log Record Type Log Time Destination IP > > Destination Port Protocol Action Rule Client IP > > Client Username Source Network Destination Network > > HTTP Method > > URL > > > > 10.0.0.10 - VM-SBS - TCP > > - - - - - - 2058 > > 0 0 0 0xc004000d FWX_E_POLICY_RULES_DENIED > > 0x0 0x0 Firewall 7/11/2006 3:42:05 PM 192.168.26.10 > > 1433 Microsoft SQL (TCP) Denied Connection > Default rule > > 10.0.0.10 - DMZ Internal > > > > I've got an DMZ to SQL rule that is supposed to allow the DMZ to > > communicate with the SQL server using Microsoft SQL Server (TCP) > > protocol. I've tried specifying the sql server by name, by IP, just > > Internal network, I've tried adding Microsoft SQL (TCP) and > Microsoft > > SQL (UDP) to the allowed protocols in the rule. Nothing > > changes, I still > > get the log above. > > > > Seems like if the web server is communicating on the network (it's a > > member server) and if I can ping from the web server all the > > way to the > > SQL server that this should be working. (sensing my > > frustration yet?) I > > added ICMP to the DMZ to SQL rule just to check my routing > > and DNS. ICMP > > uses the correct rule. The SQL protocol just blows by it. > > > > I'll gather the rest of the info tomorrow. > > > > Thanks, > > > > Amy > > > > -----Original Message----- > > From: Jim Harrison (ISA) [mailto:Jim.Harrison@xxxxxxxxxxxxx] > > Sent: Tuesday, July 11, 2006 7:53 PM > > To: isaserver@xxxxxxxxxxxxxxx > > Subject: RE: [ISAServer] DMZ to SQL > > > > Dunno; got: > > - ISABPA > > - ISAInfo > > - logging excerpts > > ? > > Rule behavior is nearly impossible to evaluate without this data. > > > > Jim Harrison > > SASD (ISA SE) > > If We Can't Fix It - It Ain't Broke! > > -----Original Message----- > > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > > Sent: Tuesday, July 11, 2006 4:10 PM > > To: isaserver@xxxxxxxxxxxxxxx > > Subject: [ISAServer] DMZ to SQL > > > > I'm stumped. Working with a client to setup a DMZ for a web server. > > Sounds easy enough. The web server (in the DMZ) needs to talk > > to an SQL > > server on the Internal network. The web server can > > communicate DNS, ICMP > > and any domain communications protocols that I throw at it. > > It can even > > ping the SQL server and the SQL server can ping it. > > > > But SQL Server protocol port 1433 blows right by my DMZ > > access rule and > > gets blocked by the default rule. > > > > Is there something special about SQL? This is the first time > > I've tried > > to give access from DMZ to an SQL server. > > > > Thanks, > > > > Amy > > --- > > To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx > > In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx, > > youremailaddress > > > > To leave the list - send an email to list@xxxxxxxxxxxxxxx > > In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx, > > youremailaddress > > > > Don't forget the comma! > > --- > > To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx > > In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx, > > youremailaddress > > > > To leave the list - send an email to list@xxxxxxxxxxxxxxx > > In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx, > > youremailaddress > > > > Don't forget the comma! > > --- > > To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx > > In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx, > > youremailaddress > > > > To leave the list - send an email to list@xxxxxxxxxxxxxxx > > In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx, > > youremailaddress > > > > Don't forget the comma! > > > > > > >