So, you have an internet-out ACL which ends with an any any on the
inside interface.
You have an internet-in ACL on the outside interface.
You have a DMZ2-in ACL on the dmz2 interface.

The inside interface is 100, dmz2 is 10 (as is dmz1) and the outside
interface is 0.

You have an smtp box on dmz2. You have rules in dmz2-in allowing the
smtp box to talk to boxes on the internal network. The smtp box can
NOT talk to anything on the internet - gets denied by dmz2-in ACL. Add
an any any rule for that host in dmz2-in and it works.

Question: Why would the inbound ACL on dmz2 prevent it from sending
traffic to the outside interface with a lower security setting? Does
an ACL applied to a dmz interface have an implied deny all - even for
lower security interfaces?
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards