We recently moved our websites over to a DMZ running on our Astaro v4 box. We can successfully access all the websites from both the internet and intranet. However, our webservers in the DMZ need to utilize a SQL server that's on our internal network. When the webserver attempts to connect to the sql server, we get timeout errors.

I've set two different rules in the packetfilter:

DMZ > SQL Service > SQL Server Allow
DMZ > InternalNetwork_ > All Allow

Neither one will allow the web server to login to the SQL server. Nothing shows up in the PacketFilter as being blocked when I make the SQL request. If I turn the above rules off, then the attempts are shown in the PacketFilter as being blocked.

From the SQL server itself, I can ping, tracert, and even connect to admin file shares on the web server in the DMZ, so it obviously knows how to get to the web server.

What brand of SQL server?

Create a SNAT rule that makes the internal network's SQL server's relevant service port(s) visible to the web server on the DMZ net, so that it can access it. Something like this might work:

SQL_Access DMZ_Network__ -> DMZ_Interface__ / SQL None sqlserver.domain.com

It's Microsoft SQL 2000 with SP3.

I created the SNAT rule but that didn't help.

What type of security are you using? Windows integrated??
Sure you're not using "named pipes", etc.?
Should be TCP-IP, 1434...

Have you tried a telnet test from the web server to see if you're hitting the SQL server (telnet server 1434); see if you get an hourglass (connection not getting through) or a blank screen (got through; waiting for binary SQL dialog).

If you change your SQL configuration, first make sure the web server can access it without the firewall barrier in place.

Windows Integrated Security needs additional ports; but you said you didn't see those getting blocked?

We're using SQL authentication, and it's TCPIP, no named pipes. Telnet to the server results in the blank screen.

Anything in the Event Logs of either machines?
Make sure Security Failures get logged (security logging is not enabled by default, you know...)

Can you "ping, tracert, and even connect to admin file shares" (by name!) from the web server to the SQL box??

Gateway of the web server set to Astaro?

If the ping by name doesn't work, you will need to make a hosts/lmhosts entry...

We can ping, but not by name. Never had to do that before with our other Linux firewalls. I'm connecting to the sql server using it's ip address. I can ping and connect to admin shares via the IP address.

Problem solved. I had to set the DNS servers on the web server nics to the local dns servers of our internal network. Then I had to setup a rule allowing DNS traffic from the web nics to the dns servers.

You see why I always ask these mundane questions now...