You've got no access list entries allowing hosts in the DMZ1 segment
access out to the internet. Also, checking the log buffer on the PIX
will usually give you the culprit of what's causing your access issue if
you have it set up to do so...set the log to warning or higher and it
will show you what the culprit is.

What I believe you need is (at least for traffic to http and https
websites):

access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 any eq 80
access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 any eq 443
nat (DMZ1) 1 10.0.0.0 255.255.255.0





Paul Madore wrote:

>I have a PIX 515 running 6.3 with three interfaces including inside, outside
>and DMZ. I have a webserver in the DMZ that receives traffic on 80 and 443.
> Currently no traffic can go out of the DMZ to the inside or outside
>interfaces. My problem is: I want to be able to get out to the internet
>from the DMZ. Here are the relevant entries in my config minus public IP's.
> I am thinking I need a NAT and GLOBAL entry and I tried that but the
>global entry killed all incoming traffic to the DMZ but maybe I just had the
>entry wrong... Thanks
>
>
>nameif ethernet0 outside security0
>nameif ethernet1 inside security100
>nameif ethernet2 DMZ1 security50
>access-list acl_out permit tcp any host eq www
>access-list acl_out permit tcp any host eq https
>access-list acl_out permit tcp any host eq smtp
>access-list acl_out permit icmp any any
>access-list acl_out permit tcp any interface outside
>access-list acl_out permit tcp any eq pop3 host eq pop3
>access-list acl_out permit tcp any eq smtp host eq smtp
>access-list acl_out permit tcp any eq ftp host eq ftp
>access-list dmz_out permit icmp any any
>access-list dmz_out permit tcp host 10.0.0.3 host 1.1.1.1 range 12100 12109
>access-list inside_outbound_nat0_acl permit ip any vpn_mobile 255.0.0.0
>access-list outside_cryptomap_dyn_20 permit ip any vpn_mobile 255.0.0.0
>ip address outside 255.255.255.224
>ip address inside 1.141.1.99 255.0.0.0
>ip address DMZ1 10.0.0.1 255.255.255.0
>ip local pool mobile 1.141.4.1-1.141.4.15
>global (outside) 1 interface
>nat (inside) 0 access-list inside_outbound_nat0_acl
>nat (inside) 1 vpn_mobile 255.0.0.0 0 0
>static (DMZ1,outside) tcp www 10.0.0.3 www netmask
>255.255.255.255 0 0
>static (DMZ1,outside) tcp https 10.0.0.3 https netmask
>255.255.255.255 0 0
>static (inside,outside) tcp smtp 1.1.1.1 smtp netmask
>255.255.255.255 0 0
>static (inside,outside) tcp interface 3389 IPO 3389 netmask 255.255.255.255
>0 0
>static (inside,outside) tcp interface 444 email 444 netmask 255.255.255.255
>0 0
>static (inside,outside) tcp interface 4125 email 4125 netmask
>255.255.255.255 0 0
>static (inside,outside) tcp interface https email https netmask
>255.255.255.255 0 0
>static (inside,outside) tcp interface pptp email pptp netmask
>255.255.255.255 0 0
>static (inside,outside) tcp interface nntp email nntp netmask
>255.255.255.255 0 0
>static (inside,outside) tcp interface pop3 email pop3 netmask
>255.255.255.255 0 0
>static (inside,outside) tcp interface smtp email smtp netmask
>255.255.255.255 0 0
>static (inside,outside) tcp interface ftp email ftp netmask 255.255.255.255
>0 0
>static (inside,outside) tcp interface www email www netmask 255.255.255.255
>0 0
>static (inside,DMZ1) vpn_mobile vpn_mobile netmask 255.0.0.0 0 0
>access-group acl_out in interface outside
>access-group dmz_out in interface DMZ1
>route outside 0.0.0.0 0.0.0.0 1
>
>__________________________________________________ _______________
>The MSN Entertainment Guide to Golden Globes is here. Get all the scoop.
>http://tv.msn.com/tv/globes2007/?icid=nctagline2
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@listserv.icsalabs.com
>https://listserv.icsalabs.com/mailma...rewall-wizards
>
>
>
>



_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards