DMZ configuration with sql server on the inside
This configuration snippet shows how to setup a web server on a dmz segment that needs to talk to a server on the inside of your network such as a sql server. The web server can be accessed from the Internet on port 80 and port 443. The sql server can only be accessed on port 1433 from the web server on the dmz segment. This model gives an extra layer of protection for your backend data.
# This configuration was taken from a PIX running 6.3(4) with default security assignments of 0 on the outside
# and 100 on the inside. A security assignment of 50 was given to the dmz segment.
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
# The access list allows tcp traffic from any source address to reach the web server on the specified ports.
# This opens up an entry point for Internet users to reach this server. Remember when going from a lower
# security interface to a higher security interface you need an access-list along with a static command for the
# server. Therefore the host defined in the access-list needs to have a static entry which is further down in
# the configuration. Access-lists that get applied to the outside interface should always point to the published
# public IP address. The public IP address is published with the static command.
access-list outside-entry permit tcp any host 172.16.1.10 eq www
access-list outside-entry permit tcp any host 172.16.1.10 eq https
# Again the DMZ interface has a lower security value so an access-list and static command are needed in order
# to allow traffic to originate from the DMZ to the inside.
access-list dmz-entry permit tcp host 192.168.1.10 host 10.1.1.20 eq 1433
ip address outside 172.16.1.1 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip address dmz 192.168.1.1 255.255.255.0
# When going from a higher interface to a lower interface a NAT and global command are used.
# Any address on the 10.1.1.0 / 24 inside network going to the outside will use PAT translating the source IP
# to the IP address that is configured on the outside interface above.
global (outside) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
# The static command publishes the address of 172.16.1.10 as an available address on the outside of the pix
# that translates to 192.168.1.10 on the dmz of the pix.
static (dmz,outside) 172.16.1.10 192.168.1.10 netmask 255.255.255.255 0 0
# This static command publishes the address of 10.1.1.20 as an available address on the dmz of the pix which
# is also known as itself on the inside of the PIX.
static (inside,dmz) 10.1.1.20 10.1.1.20 netmask 255.255.255.255 0 0
# The access-lists are not used until they are applied to the interface as shown below.
access-group outside-entry in interface outside
access-group dmz-entry in interface dmz
# Finally for reference a default route is defined to the Internet.
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
# Default configuration lines have been omitted.
Refer to http://ciscoconfigs.net/
