new DMZ, web server needs to get to SQL server

Firewall Question:  I have an Astaro 120 Firewall/Gateway and our company recently purchased a web server to be placed in a DMZ.  I am new to networking and have read that I want to set up the firewall to drop all packets from the DMZ to our internal LAN, BUT our SQL server we use internally is (hopefully) going to server data to the web server upon request.  What is the right way to have our web server in the DMZ but to still have access to our SQL server on the LAN?  Or am I thinking about this the wrong way?
Who is Participating?
Yep, you're thinking about it in the correct way.  I'm not familiar with your firewall to give you exact commands, but you have the idea.  At a high level, think of it as three different zones:

LAN - trusted
DMZ - semi-trusted
Internet - not trusted

You would setup your DMZ zone so that it would initially have no access to your internal LAN.  You could allow it to make outbound Internet requests freely (if you so choose), but it itself cannot initiate connections to the LAN.  Once you know that this is working as designed, you can now "poke" a hole from the DMZ to your LAN so that the web server in the DMZ can make SQL server requests.  But you would configure the firewall so that the web server (Ex. can initiate requests only to SQL server (Ex., and then only on the necessary ports (1433 for SQL by default).  So you want to be as specific as possible to minimize your risk.  
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.