Pix 515E ACL Layouts

Unanswered Question
May 16th, 2007

I'm configuring a 515E for the first time and it has five interfaces configured. It's running in routed mode in a single context. I'm used to transperent mode and multiple contexts so I'm unsure about the orientation of the ACL's.

I'm trying to allow traffic in from the outside to webservers in the DMZ. I've set up static NAT for each server with a public address on the outside and a private address on the inside.

ASDM say's the ACL entries are incomplete, have I got something wrong?:

name 10.0.x.x DOTNET01i1

name 195.58.x.x DOTNET01i1-OUT


static (DMZ,outside) DOTNET01i1-OUT DOTNET01i1 netmask


object-group network ALL-DMZ-www

description All DMZ web servers

network-object DOTNET01i1


object-group network Public_Web_Servers

description All web servers with public routable addresses

network-object DOTNET01i1-OUT


object-group service http_and_https tcp

description TCP Ports 80 and 443

port-object eq www

port-object eq https


access-list inbound extended permit tcp any object-group Public_Web_Servers object-group http_and_https


access-list DMZ-inbound extended permit tcp any object-group ALL-DMZ-www object-group http_and_https


access-group inbound in interface outside

access-group DMZ-inbound in interface DMZ

Any pointers appreciated!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 05/16/2007 - 23:16


It should make a difference as far as the acl's are concerned whether you use contexts or not.

If you just want to allow web traffic through from outside to DMZ then you do not need the access-list DMZ-inbound and the access-group DMZ-inbound statements. These are only needed it the servers in the DMZ need to talk to web servers on the Internet.

Try and clear the unnecessary entries and see if ADSM is happy. Unfortunately i don't use ADSM myself. What i have noticed though is that you can't configure some of the firewall from the CLI and some with ADSM without ADSM complaining.




This Discussion