In any case, you could have OUT with ACL in PIX interfaces. It's not like routers where you could set the direction of the traffic.

So IN is always used in ACL reagardless the direction

So you could have

access-list UR_ACL permit protocol ur_outside_ip_net ur_inside_ip_net

access-group UR_ACL IN interface inside

Hi, that seems to be just it. The implicit rule that allows traffic from users on a higher security level gets replaced when I try to create an access list on any interface that already has the implict rule being applied.

Example

Inside to the DMZ is an implicit rule that allows all return traffic initiated from the inside allowed back inside from the DMZ.

What's happening is that whenever a create a new inbound rule and apply it to the inside interface, the implicit rule is somehow overwritten, and only the statements in my new rule apply. That's what is really confusing me. To make matters even more confusing, I do have a new rule applied to the outside interface inbound to the DMZ, and all hosts on the DMZ have NO problems getting to the Internet.

What I want to do is allow a host in the DMZ access to a host on the inside using a certain port. Attached is a copy of the config if it helps.

thank you

According to your configs the config is no right :

global (outside) 1 interface -> OK

global (inside) 1 interface -> WRONG please delete this entry

global (DMZ) 1 interface -> OK

nat (inside) 1 0.0.0.0 0.0.0.0 0 0 -> OK

nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0 -> OK

static (DMZ,outside) x.x.x.x WEB_Server netmask 255.255.255.255 0 0 -> OK

Please add:

static (inside,DMZ) TCP/UDP Port# Port# netmask 2555.255.255.255

where TCP/UDP is the protocol you wan to use

DMZ IP address is te address of teh host located on teh DMZ segment

Port# id the port i.e 80 for http that the host will have access

Inside Ip address is the host located on the inside network which you want access to.

You also need toallow this access witha an access-list applied to DMZ

access-list DMZ-IN permit tcp host x.x.x.x host x.x.x.x eq Port#

access-list DMZ-IN permit tcp any any eq 80 (for Internet access from DMZ hosts )

access-group DMZ-IN in interface dmz

I hope it helps ...please reate if it does !!!

please also type clear xlate after the changes ... any current enrty on teh transaltion table will be deleted and recreated accordingly.

Why does the DMZ-IN access-list replace the implicit outbound rule from the DMZ? After creating the access-list I tried getting to the Internet from the DMZ, but could not. I then checked out the PDM access rules tab, and the implicit outbound rule had been overwritten. I just can't understand why that rule is being overwritten. If you use the PDM to create a rule, and try editing that default rule, it says you cannot, but if I create another rule and apply it to the interface it replaces it.

I think I understand it now. It's by design that as soon as an ACL is placed in the inbound direction, the implicit rule is negated. There's a pretty good excerpt about access lists in the following link

http://www.cianet.com.au/home2.nsf/pages/ciscopix

So do I understand correctly that the security of the PIX lies equally in NAT as it does in access lists? The statement

access-list DMZ-IN permit tcp any any eq 80 (for Internet access from DMZ hosts )

says all http access from the outside is allowed in, if, big if, it is initiated from the inside? That statement does not allow hosts on a lower security level, the outside, to initiate an http connection with a host on the DMZ, right? In part I assume since there is not NAT from outside to inside, that's what the static command is for?

This seems to explain some of the anomolies I have been seeing, I have both a PIX 535 and a catalyst 6503 with a FWSM. Whats your take on allowing traffic into the DMZ ? I was told that you should let all in and filter the output traffic, and in the PDM manual it says filter coming in and let the rest out. I have usually 4 rules per filter type, maybe this is an ober kill but it seemed like it was req'd.