Hi, I'm trying to setup an ACL that permits certain traffic from a host in the DMZ to hosts on the inside. It will be a timesheets application server that needs to talk to a SQL DB, and also need to communicate with our DCs to authenticate a service account that exists in Active Dir. My PIX log keeps telling me

106023: Deny udp src DMZ:192.168.32.4/3648 dst inside:10.4.0.47/389 by access-gr

oup "dmz_access_in"

but I can't see the problem with my config

access-list dmz_access_in; 15 elements

access-list dmz_access_in line 1 remark access from dmz hosts to Internet

access-list dmz_access_in line 2 permit udp any any eq domain (hitcnt=57)

access-list dmz_access_in line 3 permit tcp 192.168.32.0 255.255.255.0 any eq www (hitcnt=0)

access-list dmz_access_in line 4 permit tcp 192.168.32.0 255.255.255.0 any eq https (hitcnt=0)

access-list dmz_access_in line 5 permit tcp 192.168.32.0 255.255.255.0 any eq smtp (hitcnt=0)

access-list dmz_access_in line 6 permit tcp 192.168.32.0 255.255.255.0 any eq pop3 (hitcnt=0)

access-list dmz_access_in line 8 permit tcp 192.168.32.0 255.255.255.0 host 208.206.232.55 eq ftp (hitcnt=0)

access-list dmz_access_in line 9 permit esp 192.168.32.0 255.255.255.0 any (hitcnt=0)

access-list dmz_access_in line 10 permit udp 192.168.32.0 255.255.255.0 any eq isakmp (hitcnt=0)

access-list dmz_access_in line 11 permit udp 192.168.32.0 255.255.255.0 any eq 4500 (hitcnt=0)

access-list dmz_access_in line 12 remark access from timesheets to DCs

access-list dmz_access_in line 13 permit udp host 192.168.32.4 host 192.168.32.46 eq 389 (hitcnt=0)

access-list dmz_access_in line 14 permit udp host 192.168.32.4 host 192.168.32.47 eq 389 (hitcnt=0)

access-list dmz_access_in line 15 permit udp host 192.168.32.4 host 192.168.32.46 eq 88 (hitcnt=0)

access-list dmz_access_in line 16 permit udp host 192.168.32.4 host 192.168.32.47 eq 88 (hitcnt=0)

access-list dmz_access_in line 17 permit icmp any any (hitcnt=4)

HummPIX-515# sh run | include static

static (inside,DMZ) 192.168.32.46 10.4.0.46 netmask 255.255.255.255 0 0

static (inside,DMZ) 192.168.32.47 10.4.0.47 netmask 255.255.255.255 0 0

HummPIX-515#

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

ip address outside 10.1.10.11 255.255.255.0

ip address inside 10.4.0.2 255.255.255.0

ip address DMZ 192.168.32.1 255.255.255.0

Thank you,

Bill