I have a PIX 515 running 6.3 with three interfaces including inside, outside
and DMZ. I have a webserver in the DMZ that receives traffic on 80 and 443.
Currently no traffic can go out of the DMZ to the inside or outside
interfaces. My problem is: I want to be able to get out to the internet
from the DMZ. Here are the relevant entries in my config minus public IP's.
I am thinking I need a NAT and GLOBAL entry and I tried that but the
global entry killed all incoming traffic to the DMZ but maybe I just had the
entry wrong... Thanks


nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security50
access-list acl_out permit tcp any host eq www
access-list acl_out permit tcp any host eq https
access-list acl_out permit tcp any host eq smtp
access-list acl_out permit icmp any any
access-list acl_out permit tcp any interface outside
access-list acl_out permit tcp any eq pop3 host eq pop3
access-list acl_out permit tcp any eq smtp host eq smtp
access-list acl_out permit tcp any eq ftp host eq ftp
access-list dmz_out permit icmp any any
access-list dmz_out permit tcp host 10.0.0.3 host 1.1.1.1 range 12100 12109
access-list inside_outbound_nat0_acl permit ip any vpn_mobile 255.0.0.0
access-list outside_cryptomap_dyn_20 permit ip any vpn_mobile 255.0.0.0
ip address outside 255.255.255.224
ip address inside 1.141.1.99 255.0.0.0
ip address DMZ1 10.0.0.1 255.255.255.0
ip local pool mobile 1.141.4.1-1.141.4.15
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 vpn_mobile 255.0.0.0 0 0
static (DMZ1,outside) tcp www 10.0.0.3 www netmask
255.255.255.255 0 0
static (DMZ1,outside) tcp https 10.0.0.3 https netmask
255.255.255.255 0 0
static (inside,outside) tcp smtp 1.1.1.1 smtp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 3389 IPO 3389 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 444 email 444 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 4125 email 4125 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface https email https netmask
255.255.255.255 0 0
static (inside,outside) tcp interface pptp email pptp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface nntp email nntp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface pop3 email pop3 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface smtp email smtp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface ftp email ftp netmask 255.255.255.255
0 0
static (inside,outside) tcp interface www email www netmask 255.255.255.255
0 0
static (inside,DMZ1) vpn_mobile vpn_mobile netmask 255.0.0.0 0 0
access-group acl_out in interface outside
access-group dmz_out in interface DMZ1
route outside 0.0.0.0 0.0.0.0 1

__________________________________________________ _______________
The MSN Entertainment Guide to Golden Globes is here. Get all the scoop.
http://tv.msn.com/tv/globes2007/?icid=nctagline2

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards