When Apply ACL to DMZ_if - DMZ_if loses access to WWW - Why? When I apply an acl to the DMZ interface I lose the dmz devices connection to the internet? The access-list / access-group I apply works as it should, but internet is gone. When I remove the access-group, internet access comes back. I have tried applying other acl's, nat/global combinations w/no luck. I have added my complete running config for anyone to look at that would be willing to help. I have been self teaching myself this PIX 515e for 3 weeks with help from books, www and friends I think I have part of it figured out.... at least traffic is moving. Any help would be much appreciated. Shane Here is some acl info: access-list acl_out permit tcp any host 10.10.70.65 eq www access-list acl_out permit tcp any host 10.10.70.65 eq https access-list acl_out permit tcp any host 10.10.70.65 eq ftp access-list acl_out permit tcp any host 10.10.70.64 eq www access-list ACLDMZ_IN permit tcp any host 0.0.0.0 eq www access-list ACLDMZ_IN permit tcp any host 10.10.20.200 eq 8080 access-list ACLDMZ_IN permit tcp any host 10.10.20.190 eq 8080 access-group acl_out in interface outside access-group ACLDMZ_IN in interface dmz Result of firewall command: "show run" attached Result of firewall command: "show run" : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 enable password xxxxxxxxxxxxxxxx encrypted passwd xxxxxxxxxxx encrypted hostname pix domain-name admin clock timezone EST -5 clock summer-time EDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol http 8080 fixup protocol icmp error fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.10.30.10 laptop access-list acl_out permit tcp any host 10.10.70.65 eq www access-list acl_out permit tcp any host 10.10.70.65 eq https access-list acl_out permit tcp any host 10.10.70.65 eq ftp access-list acl_out permit tcp any host 10.10.70.64 eq www access-list ACLDMZ_IN permit tcp any host 0.0.0.0 eq www access-list ACLDMZ_IN permit tcp any host 10.10.20.200 eq 8080 access-list ACLDMZ_IN permit tcp any host 10.10.20.190 eq 8080 pager lines 20 logging on logging timestamp logging buffered debugging logging trap debugging icmp permit any outside icmp permit any inside icmp permit host 10.10.30.200 inside icmp permit host 10.10.20.101 inside icmp permit host 10.10.20.200 inside icmp permit host 10.10.20.20 inside icmp permit any dmz icmp permit host 10.10.20.101 dmz icmp permit host 10.10.30.200 dmz icmp permit host 10.10.20.200 dmz icmp permit host 10.10.20.20 dmz mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 10.10.70.69 255.255.255.0 ip address inside 10.10.30.1 255.255.255.0 ip address dmz 10.10.20.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 10.10.30.100 255.255.255.255 inside pdm location 10.10.30.0 255.255.255.0 inside pdm location 10.10.20.0 255.255.255.0 dmz pdm location 10.10.20.101 255.255.255.255 dmz pdm location 10.10.50.0 255.255.255.0 inside pdm location 10.10.20.101 255.255.255.255 inside pdm location 10.10.30.101 255.255.255.255 inside pdm location 10.10.30.102 255.255.255.255 inside pdm location 0.0.0.0 255.255.255.0 inside pdm location 10.10.30.200 255.255.255.255 inside pdm location 10.10.70.0 255.255.255.0 inside pdm location 10.10.20.20 255.255.255.255 dmz pdm location 10.10.30.90 255.255.255.255 inside pdm location laptop 255.255.255.255 inside pdm location 192.168.0.0 255.255.255.0 dmz pdm location 10.10.0.0 255.255.0.0 inside pdm location 10.10.60.0 255.255.255.0 inside pdm logging alerts 100 pdm history enable arp timeout 14400 global (outside) 1 10.10.70.60 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 static (dmz,outside) 10.10.70.65 10.10.20.101 netmask 255.255.255.255 0 0 static (dmz,outside) 10.10.70.64 10.10.20.20 netmask 255.255.255.255 0 0 static (inside,dmz) 10.10.20.190 10.10.30.90 netmask 255.255.255.255 0 0 static (inside,dmz) 10.10.20.200 10.10.30.200 netmask 255.255.255.255 0 0 access-group acl_out in interface outside access-group ACLDMZ_IN in interface dmz rip outside passive version 2 authentication md5 keyforsaadat 2 rip outside default version 2 authentication md5 keyforsaadat 2 rip inside passive version 1 rip dmz passive version 2 route outside 0.0.0.0 0.0.0.0 10.10.70.1 1 timeout xlate 1:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.10.70.0 255.255.255.0 outside http 10.10.30.100 255.255.255.255 inside http 10.10.30.0 255.255.255.0 inside http 10.10.70.0 255.255.255.0 inside http 10.10.60.0 255.255.255.0 inside http 10.10.20.0 255.255.255.0 dmz no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside 10.10.30.90 tftp floodguard enable sysopt connection timewait sysopt noproxyarp inside telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:7ce6d07775a293827429f13b2b419fc0 : end