It's NAT. Source DMZ. Destination SQL server. Should it be route? -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, July 11, 2006 8:26 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: [ISAServer] DMZ to SQL Hi Amy, Is the Network Rule set for Route or NAT between the DMZ and the Internal Network? Thanks! Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > Sent: Tuesday, July 11, 2006 7:23 PM > To: isaserver@xxxxxxxxxxxxxxx > Subject: RE: [ISAServer] DMZ to SQL > > Original Client IP Client Agent Authenticated Client Service > Server Name Referring Server Destination Host Name > Transport MIME Type Object Source Source Proxy > Destination Proxy Bidirectional Client Host Name Filter > Information Network Interface Raw IP Header Raw Payload > Source Port Processing Time Bytes Sent Bytes Received Result > Code HTTP Status Code Cache Information Error > Information Log Record Type Log Time Destination IP > Destination Port Protocol Action Rule Client IP > Client Username Source Network Destination Network > HTTP Method > URL > > 10.0.0.10 - VM-SBS - TCP > - - - - - - 2058 > 0 0 0 0xc004000d FWX_E_POLICY_RULES_DENIED > 0x0 0x0 Firewall 7/11/2006 3:42:05 PM 192.168.26.10 > 1433 Microsoft SQL (TCP) Denied Connection Default rule > 10.0.0.10 - DMZ Internal > > I've got an DMZ to SQL rule that is supposed to allow the DMZ to > communicate with the SQL server using Microsoft SQL Server (TCP) > protocol. I've tried specifying the sql server by name, by IP, just > Internal network, I've tried adding Microsoft SQL (TCP) and Microsoft > SQL (UDP) to the allowed protocols in the rule. Nothing > changes, I still > get the log above. > > Seems like if the web server is communicating on the network (it's a > member server) and if I can ping from the web server all the > way to the > SQL server that this should be working. (sensing my > frustration yet?) I > added ICMP to the DMZ to SQL rule just to check my routing > and DNS. ICMP > uses the correct rule. The SQL protocol just blows by it. > > I'll gather the rest of the info tomorrow. > > Thanks, > > Amy > > -----Original Message----- > From: Jim Harrison (ISA) [mailto:Jim.Harrison@xxxxxxxxxxxxx] > Sent: Tuesday, July 11, 2006 7:53 PM > To: isaserver@xxxxxxxxxxxxxxx > Subject: RE: [ISAServer] DMZ to SQL > > Dunno; got: > - ISABPA > - ISAInfo > - logging excerpts > ? > Rule behavior is nearly impossible to evaluate without this data. > > Jim Harrison > SASD (ISA SE) > If We Can't Fix It - It Ain't Broke! > -----Original Message----- > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > Sent: Tuesday, July 11, 2006 4:10 PM > To: isaserver@xxxxxxxxxxxxxxx > Subject: [ISAServer] DMZ to SQL > > I'm stumped. Working with a client to setup a DMZ for a web server. > Sounds easy enough. The web server (in the DMZ) needs to talk > to an SQL > server on the Internal network. The web server can > communicate DNS, ICMP > and any domain communications protocols that I throw at it. > It can even > ping the SQL server and the SQL server can ping it. > > But SQL Server protocol port 1433 blows right by my DMZ > access rule and > gets blocked by the default rule. > > Is there something special about SQL? This is the first time > I've tried > to give access from DMZ to an SQL server. > > Thanks, > > Amy > --- > To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx > In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx, > youremailaddress > > To leave the list - send an email to list@xxxxxxxxxxxxxxx > In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx, > youremailaddress > > Don't forget the comma! > --- > To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx > In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx, > youremailaddress > > To leave the list - send an email to list@xxxxxxxxxxxxxxx > In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx, > youremailaddress > > Don't forget the comma! > --- > To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx > In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx, > youremailaddress > > To leave the list - send an email to list@xxxxxxxxxxxxxxx > In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx, > youremailaddress > > Don't forget the comma! > >