Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

bz
New Member

Access the Internet from DMZ

I'm a starter! Okay, one (2.2.2.2) of the servers on the DMZ needs to access the Internet. The server's DNS is pointing to a DNS server (1.1.1.1) on the outside of the PIX. I don't understand why this doesn't work, I thought that everything is allow out by default. <br>Now, when I added 2 access-list: <br>access-list acl_dmz permit udp host 2.2.2.2 host 1.1.1.1 eq 53 <br>access-list acl_dmz permit tcp host 2.2.2.2 any eq 80 <br>I can get out to the Internet. Please advice!!!

  • Other Security Subjects
4 REPLIES
New Member

Re: Access the Internet from DMZ

NAT or PAT the 2.2.2.2 to an available IP address at the outside interface, then no need for those access-lists.

New Member

Re: Access the Internet from DMZ

I take it these lines were added to an ACL called acl_dmz already bound to the interface.

With a valid NAT translation through the pix from dmz to outside, traffic will flow by default so long as there is no ACL.

Applying the ACL creates an implicit deny at the end of the list.

bz
New Member

Re: Access the Internet from DMZ

Hi, yes there are other ACLs applied to acl_dmz bound to the dmz interface. So, is that mean I have implicitly allow traffic to go out to the Internet?

New Member

Re: Access the Internet from DMZ

Each Access Control Lists ends with an implicit deny all statement, whether you configure it or not. So, if you do apply an acl to an interface, you need to create an entry for all traffic allowed.

105
Views
0
Helpful
4
Replies