×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Deny inside to outside, but allow to DMZ

Unanswered Question
Apr 22nd, 2003
User Badges:

We have a PIX 515 with 6.2(2). Have an Outside, Inside, and DMZ interface. We need to block specific ip addresses from the outside but not to the DMZ. The DMZ has our web server, but we cannot allow the specific IP address to access the Interent. When I add a rule to deny the ip address on the inside to the outside, it also blocks access to the DMZ.


I also tried a RADIUS server, but this also required a userid to access the DMZ. I want full access to the DMZ from the inside, but authenticated to the outside.


Thanks for your help and consideration.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Access lists have an implicit deny all at the end of them. If you craft one that only allows the pool of hosts to access only the dmz netblock, you would be in business. It sounds like you have a pool of addresses that need unhindered access as well though, so have a statement that gives them unhindered access.


Example:

192.168.0.0/24 is the dmz. 192.168.1.0/24 can only talk to the dmz. 192.168.2.0/24 can talk to everyone


access-list outbound restrict permit ip 192.168.2.0 255.255.255.0 any

access-list outbound restrict permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-group outbound in interface inside


will allow 192.168.2.0 to talk to everyone, and .192.168.1.0 to only talk to the dmz

Actions

This Discussion