Cisco Support Community
Community Member

DMZ ---> Outside Access Issue

Hello, All

I have a Cisco PIX Firewall 525(UR, FO) Model Version 6.3(4).

Outside Security-level ===> 0

DMZ Security-level ===> 50

Inside Security-level ===> 100

I known a PIX Firewall Concept.

High Security-level ----> Low Security-level ; Default(Implicit Aggreement)

Low Security-level ----> High Security-level ; Security Policy(ACL)

Inside --- Default(Implicit Aggreement) ---> Outside

Inside --- Default(Implicit Aggreement) ---> DMZ

Outside --- Security Policy ---> Inside

Outside --- Security Policy ---> DMZ

DMZ --- Security Policy ---> Inside

Is not Implicit Aggreement must ACL Configured.

DMZ --- Security Policy ---> Outside



Community Member

Re: DMZ ---> Outside Access Issue

Hi you are right the implicit allow works incase if we are going from high security to low security. How ever if you have configured and access-list on the dmz to allow traffic to the inside interface then it takes precedence the implicit allow to outside will be denied. So what I suggest in these cases for dmz allow the traffic that you want to the inside interface, then block all the rest of the traffic to the inside and permit every thing else so the the internet traffic can move smoothly.


we have a 10.10.x.x. network on the inside and 172.16.x.x network on the dmz then I would do this.

access-list test permit ip 172.16.x.x 255.255.x.x host 10.10.x.x


access-list test deny ip any

access-list test permit ip any any

so the second last line denies all the traffic for inside except for the ones that we want. and the last line permits all the rest of the traffic to the internet.

Or you can also control the traffic to inside network via translation rules as well


Arun Singh

Community Member

Re: DMZ ---> Outside Access Issue

The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network.

But Cisco PIX are Not. Why???

Community Member

Re: DMZ ---> Outside Access Issue

Not entirely correct. A DMZ is a 'grey area' - not completely trusted, even though you are hosting it.

It makes sense that you have to configure on the DMZ interface what connections you want from the outside world, since it's your servers that could be compromised.

Likewise, it also makes sense that by default conections from inside (trusted) to the DMZ are allowed, but that connections from the DMZ (less trustworthy)to inside are not.

In reality, I would also limit the connections from the DMZ to the outside and also explicitly define what access was required from the inside to DMZ.

That stops compromised hosts sending out data you don't want them to or initiating attacks.

I think that a firewall should be paranoid by default, before being configured (deny all incoming connections, but allow all outgoing).

The PIX security level command seems to do a good job of this.

CreatePlease to create content