Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Deny inside to outside, but allow to DMZ

We have a PIX 515 with 6.2(2). Have an Outside, Inside, and DMZ interface. We need to block specific ip addresses from the outside but not to the DMZ. The DMZ has our web server, but we cannot allow the specific IP address to access the Interent. When I add a rule to deny the ip address on the inside to the outside, it also blocks access to the DMZ.

I also tried a RADIUS server, but this also required a userid to access the DMZ. I want full access to the DMZ from the inside, but authenticated to the outside.

Thanks for your help and consideration.

1 REPLY
Silver

Re: Deny inside to outside, but allow to DMZ

Access lists have an implicit deny all at the end of them. If you craft one that only allows the pool of hosts to access only the dmz netblock, you would be in business. It sounds like you have a pool of addresses that need unhindered access as well though, so have a statement that gives them unhindered access.

Example:

192.168.0.0/24 is the dmz. 192.168.1.0/24 can only talk to the dmz. 192.168.2.0/24 can talk to everyone

access-list outbound restrict permit ip 192.168.2.0 255.255.255.0 any

access-list outbound restrict permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-group outbound in interface inside

will allow 192.168.2.0 to talk to everyone, and .192.168.1.0 to only talk to the dmz

86
Views
0
Helpful
1
Replies
CreatePlease to create content