I was just hoping someone could clarify something for me. Obviously with a DMZ you don't want the devices talking to the internal network (usually anyway) If a server in the DMZ needed access to anywhere on the web but not inside (e.g. a SMTP server) and you created the ACL to permit SMTP Server using TCP port 25 anywhere, this would also allow it anywhere using TCP 25 on the inside network too would it not?
Would you have to create the ACL to say deny SMTP Server using TCP 25 to 192.168.0.0 etc etc and then permit it anywhere? Or is there a feature that prevents this anyway? I know there is NAT control which would require a NAT translation but that is from a high security to lower security interface is it not?
So how would you configure something like this? Hope this makes sense.
Errrm sorry - from your original question I don;t quite understand where "stick the deny statements then the permit all" comes into it???
Rememeber as the end of an acl is a default deny all??????