Try this: pix(config)# access-list permit tcp host 10.1.1.X host 192.168.20.10 eq 7000 pix(config)# access-group in interface
where you fill the correct value for "X" in the source IP addess that's needing to access the inside, where is whatever you want to name your access list and is the name you gave the DMZ interface interface in the "nameif" command. Note: Currently all traffic from the DMZ to the outside is allowed. The moment you apply that access list to the DMZ interface all outbound traffic (traffic INTO the DMZ interface and headed to parts anywhere to the outside) will now be blocked. There is an implied "deny any any" at the end of the access list. You will have to then open up ports to the outside that boxes in your DMZ will need to use. If the same box needs WWW access to the outside world you will need a statment like this: pix(config)# access-list permit tcp host 10.1.1.X any eq 80 The "any" is the destination IP address. If it only goes to a specific WWW site you can add "host A.B.C.D" instead of "any". With the statement as written above you've allowed the pix to access any web server anywhere, assuming it's running on port 80. The same can be done with FTP, SMTP, DNS (except if would be "permit udp" instead of "permit tcp") or any other traffic originating from the DMZ. Any traffic already allowed via access lists from the outside to the DMZ will not be affected, only traffic originating in the DMZ. The official line from Cisco is that it's not a good idea to mix static/conduits and access-list/access-groups on the same box. If you're allowing traffic from the outside into your DMZ via static/conduit pairs you may have intermittent troubles using both. I've not experienced it personally. I just know what I've read in all of Cisco's doc's about it. You may need to consider switching to access-list/access-group instead of conduits. The static statements should remian the same. If you were going from the inside to the DMZ you would need a "static" statement defining the inside network to the DMZ but I don't believe you do from a less secure interface to a more secure interface. The two statements above should be all you need to put in your config. Hope this helps (and it wasn't 10,000 times more info than you wanted). Mark Smith -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, May 30, 2003 10:26 AM To: [EMAIL PROTECTED] Subject: PIX Firewall --- DMZ to Inside Access [7:69877] Fellows - I have a senario here, I have a PIX firewall with 3 Interfaces , Inside, Outside and DMZ. Machines on the Inside Interface can access Server on DMZ Zone, no problem, I have to facilitate limited access from DMZ zone Servers to Host on Inside Interface. Let take an example, I have a Server on DMZ zone 10.1.1.1 and i need to alow TCP Port 7000 from this Server to a host on Inside zone whoes IP address is 192.168.20.10 I have a raw configuration in my mind since i dont a PIX with 3 Interfaces in my LAB i can not test it. I know i have put an Access List / NAT to do this. Any config welcome. thanks -- Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69892&t=69877 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]