Your access list for the dmz interface (ping_acl) only allows icmp traffic. The implicit 'deny any any' at the end is stopping your traffic.
As a side note - it's a bad idea to post configs with passwords - encrypted or not - to any public forum. Which this is. Good luck... Berry At 09:35 AM 1/25/2002 -0500, you wrote: >The following is my configure of pix 525, now the nodes in the dmz can not >connect to the outside, why? >and do i have to use the NAT command to the traffic from the dmz to the >outside. It seem that the pix cant route the dmz traffic to the outside. >help me! please! > >sh conf >: Saved >: >PIX Version 6.0(1) >nameif ethernet0 outside security0 >nameif ethernet1 inside security100 >nameif ethernet2 dmz security50 >nameif ethernet3 intf3 security15 >nameif ethernet4 intf4 security20 >enable password 8Ry2YjIyt7RRXU24 encrypted >passwd 2KFQnbNIdI.2KYOU encrypted >hostname pixfirewall >fixup protocol ftp 21 >fixup protocol http 80 >fixup protocol h323 1720 >fixup protocol rsh 514 >fixup protocol smtp 25 >fixup protocol sqlnet 1521 >fixup protocol sip 5060 >fixup protocol skinny 2000 >names >access-list acl_in permit tcp any host 202.99.33.69 eq smtp >access-list acl_in permit tcp any host 202.99.33.72 eq www >access-list acl_in permit tcp any host 202.99.33.66 eq domain >access-list acl_in permit tcp any host 202.99.33.67 eq domain >access-list acl_in permit icmp any any >access-list ping_acl permit icmp any any >pager lines 30 >interface ethernet0 auto >interface ethernet1 auto >interface ethernet2 auto > > >interface ethernet3 auto shutdown >interface ethernet4 auto shutdown >mtu outside 1500 >mtu inside 1500 >mtu dmz 1500 >mtu intf3 1500 >mtu intf4 1500 >ip address outside 210.82.34.29 255.255.255.0 >ip address inside 192.168.4.1 255.255.255.0 >ip address dmz 202.99.33.254 255.255.255.0 >ip address intf3 127.0.0.1 255.255.255.255 >ip address intf4 127.0.0.1 255.255.255.255 >ip audit info action alarm >ip audit attack action alarm >no failover >failover timeout 0:00:00 >failover poll 15 >failover ip address outside 0.0.0.0 >failover ip address inside 0.0.0.0 >failover ip address dmz 0.0.0.0 >failover ip address intf3 0.0.0.0 >failover ip address intf4 0.0.0.0 >pdm history enable >arp timeout 14400 >global (dmz) 1 202.99.33.73 netmask 255.255.255.0 >nat (inside) 1 0 0 >nat (dmz) 0 202.99.33.0 255.255.255.0 0 0 >static (dmz,outside) 202.99.33.69 202.99.33.69 netmask 255.255.255.255 0 0 >static (dmz,outside) 202.99.33.72 202.99.33.72 netmask 255.255.255.255 0 0 >static (dmz,outside) 202.99.33.66 202.99.33.66 netmask 255.255.255.255 0 0 > > >static (dmz,outside) 202.99.33.67 202.99.33.67 netmask 255.255.255.255 0 0 >access-group acl_in in interface outside >access-group ping_acl in interface dmz >route outside 0.0.0.0 0.0.0.0 210.82.34.25 1 >timeout xlate 3:00:00 >timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 >0:05:00 sip 0:30:00 sip_media 0:02:00 >timeout uauth 0:05:00 absolute >aaa-server TACACS+ protocol tacacs+ >aaa-server RADIUS protocol radius >no snmp-server location >no snmp-server contact >snmp-server community public >no snmp-server enable traps >floodguard enable >no sysopt route dnat >telnet timeout 5 >ssh timeout 5 >terminal width 80 >Cryptochecksum:3be86ece2c90058e0c9190f986717d63 > >pixfirewall# Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33235&t=33184 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]