Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

DMZ to OUTSIDE but not to INSIDE

Hi everyboy!

i want to allow a mail server in the dmz ( smtp access to a server on the inside interface ( The inside server has a static nat mapping to the dmz ( I created an access list which allows the mail server in the dmz to access http on the outside. The inside server has also an web server up and running ... i think you got my problem. Could someone tell me the best way to this special configuration? ;) I want to limit the access to the inside to only port 25 nothing else ...

Thanks for your help!


Re: DMZ to OUTSIDE but not to INSIDE

so you've got this:

static (inside,dmz) netmask 0 100

all you need then is add an entry to your dmz ACL:

access-list [dmz acl name] permit tcp host host eq 25

Community Member

Re: DMZ to OUTSIDE but not to INSIDE

Thanks for your answer. This access-list already exists. But there ist another access-list like this here:

access-list [dmzacl] permit host any eq www

This allows http traffic also to the inside mail server. I actually only find the way to set a deny rule all acl after the allow rule for port 25 ... with much more servers i have also to deny each server this way. Does anyone have another solution for me?

Community Member

Re: DMZ to OUTSIDE but not to INSIDE

Can't you just deny HTTP from DMZ to internal then?


Deny HTTP from DMZ to Inside

Allow HTTP from DMZ to any

Allow SMTP from DMZ to Inside

HTTP to inside is cathed before the HTTP to any. T

CreatePlease to create content