Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

pix acl question


im a newbie to using a pix firewall and i have inherited a 525 and would like someone to help point me in the right direction for what my company wants. We have a webserver in our dmz that now needs to communicate with microsofts active directory protocols that are on the inside interface. I have the ports that need to be used but I must confess I'm a bit stuck with where to go now.

Is it simply a matter of creating a new acl from the dmz --> inside?

Any Help would be great.



Cisco Employee

Re: pix acl question

Hello miketumolo,

You are correct. The acl that is created will be on the dmz interface. As that traffic is permitted, the return traffic will be allowed back via the ASA so you don't have to do anything on the inside interface.

Here is what the ACLs elements will look like.

access-list dmz_acl permit tcp host webserver host ADserver eq portnumber

access-group dmz_acl in interface dmz

Hope that helps! If so, please rate.


New Member

Re: pix acl question

Be aware, because you are going from a lower security interface (DMZ) to a higher security interface (inside) you also need a static next to the ACL.

If you want to make the AD server available without NAT on the DMZ, use;

static (inside,dmz)

If you want to nat the AD server, use;

static (inside,dmz)