Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

A host on the DMZ needs to access a specific host on the inside network on a specific port and also needs to have full access to the outside (Internet).

Core issue

Need to configure an access list on the DMZ interface.

Resolution

Create an access list on the DMZ interface that allows a single host on the DMZ to access a single host on the inside on port 25, but also allows all other DMZ hosts to browse out to the Internet.

For example, assume that the DMZ subnet is 192.168.1.0/24 and the inside subnet is 10.10.10.0/24. Host 192.168.1.9 on the DMZ needs to access host 10.10.10.11 on the inside on port 25. Given these addresses, the following commands would be entered.

access-list DMZ permit tcp host 192.168.1.9 host 10.10.10.11 eq 25
access-list DMZ deny ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list DMZ permit ip any any eq 80

!--- Note: There is an implicit deny ip any any at the end of any access list.
access-group DMZ in interface DMZ

For more information about entering access lists in the PIX, see Controlling Network Access and Use.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 03:36 PM
Updated by:
 
Labels (1)