if you mean to allow access from dmz to outside, it seems ok.
for scenario 2;
it seems ok.
for scenario 3;
you have use a nat statement like you did for nat(dmz) and also a global. or you if you don't want to nat you can use "nat(inside) 0 0" to disable nat.
for scenario 4;
your static statements must be like that "static (inside,dmz)" and you have to apply the dmz_inside to dmz interface instead of inside. and I couln't understand that why you made the second static for 10.171.92.4. will it be 10.171.92.3? if your's true it must be allowed in the access-list, too.
3 - If I apply an access list to the dmz interface what do I need to have? I tried this allowing accesslist to dmz for 25 and 1433 but this just stopped internet access by blocking dns etc
4 - I made a mistake the statics should be the same sorry.
I think the problem I am seeing is that im not sure how to setup the access from dmz to inside. If create statics for the internal server ip to the dmz server ip for the two ports then create an acl that allows just those ports then this acl blocks the traffic to the internet. How do I set this up?
yes Andy, sorry I missed that. I think you have to add a new line to access-list dmz_inside. Because of the implicit deny statement at the end of the access-list your web server can't access to outside. So, if you append a statement that permits your webserver to outside, it will be ok.
I think he is right. You will have to include the line in your outside_dmz access list in your dmz_inside access list, then apply the dmz_inside access list to your DMZ interface. Remember the name 'dmz_inside' is *only* a name, it's not instructing the access-list to only perform functions going to the inside from the dmz, it applies it to the entire interface regardless of where the traffic goes to. Also remember you dont need anything permitting access from the inside to the dmz because higher to lower communication is permitted, and the inside is "higher" than the dmz interface, but you do need to allow the dmz through to the inside. Sometimes it gets to be a pain to make sure you have multiple acl's correctly entered. You can always just use a conduit command to allow specific traffic from the dmz to the inside, that's what I do when I have very long acl's and acl's on multiple interfaces...even though I think Cisco doesnt recommend that you use conduits and acl's together it works for me, and I know a lot of engineers who do the same. Hope that helps.
I have changed by config as below. Im not sure on setting up conduits so would prefer acl's. Even with whats below I still get deny messages when trying to access the internet from the dmz when the dmz_int acl is applied. I thought a higher (dmz) to lower (outside) was allowed anyway? I think most of it is correct but I can't reason why I get the deny statements now.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...