Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

restricting dmz access to inside

Hi all,

Having static nat'ed inside to DMZ like this :

static (inside,dmz) netmask

(Where is the inside network)

My issue is that I dont see any hits on my access-list bound to the access-groups on the two interfaces, even though traffic is flowing fine.

Question is - does the full network-nat make the acl for those two interfaces obsolete?

Kind regards

New Member

Re: restricting dmz access to inside


No matter what if the access list if applied to the interface,it will be first thing Pix will lookinto.

Access list is matched first and the translation rule.So when the packet comes into the pix interface and we have access list applied to that interface,pix will first check if the traffic is permitted or denied ,If its denied then it will drop it and if permitted then it will check for the translation rule.

Important : access list is not checked for the return traffic ,pix looks into other things like translation,connection entry,sequence numbers etc. for the return traffic.

Check if the access list is applied properly on the interface

Hope this helps.