We have a PIX 515 with 6.2(2). Have an Outside, Inside, and DMZ interface. We need to block specific ip addresses from the outside but not to the DMZ. The DMZ has our web server, but we cannot allow the specific IP address to access the Interent. When I add a rule to deny the ip address on the inside to the outside, it also blocks access to the DMZ.
I also tried a RADIUS server, but this also required a userid to access the DMZ. I want full access to the DMZ from the inside, but authenticated to the outside.
Access lists have an implicit deny all at the end of them. If you craft one that only allows the pool of hosts to access only the dmz netblock, you would be in business. It sounds like you have a pool of addresses that need unhindered access as well though, so have a statement that gives them unhindered access.
192.168.0.0/24 is the dmz. 192.168.1.0/24 can only talk to the dmz. 192.168.2.0/24 can talk to everyone
access-list outbound restrict permit ip 192.168.2.0 255.255.255.0 any
access-list outbound restrict permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-group outbound in interface inside
will allow 192.168.2.0 to talk to everyone, and .192.168.1.0 to only talk to the dmz
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...