i have a pix520 running 6.3, i have access to the outside from both the dmz and inside but cant seem to figure out how to allow access to the dmz from the inside, network as follows, dmz int 10.1.10.1, inside 10.1.0.1, outside 81.*.*.*, default route to outside next hop router. acl states, tcp permit an any eq www, ......help wanted please.
So, you're trying to access the DMZ from the inside?
I would add the following:
access-list nonat extended permit ip 10.1.0.0 255.255.255.0 10.1.10.0 255.255.255.0
nat (inside) 0 access-list nonat
I would also recommend adding an ACL to the inside interface to restrict the outbound access.
The access-list I posted for you is not being bound to an interface. This is a nat exemption ACL which is telling the PIX to not perform NAT on traffic flowing from the inside to the DMZ network.
What I was suggesting was creating another ACL and applying this to the inside interface of the pix via 'access-group
eddie, many thanks.
I am only using this config to test for access between the inside/dmz and vice versa, once this has been established i will alter the config to only allow smtp as a mail server will be placed on the dmz.
Did you see my original config?
can you please tell me what an ACL would look like?
please try to change the following:
static (inside,dmz) 10.1.10.2 10.1.10.2 netmask 255.255.255.255 0 0
static (inside,dmz) 10.1.0.0 10.1.0. netmask 255.255.255.0
Also: try this without using an inside ACL at first. Once you have it running than you can move on to applying ACL as you see fit.