https://community.cisco.com/t5/network-security/rule-to-allow-machine-from-dmz-to-internal/m-p/729896#M1004612 <P>Hi all. Here's the scenario:</P><P></P><P>PIX 515 v7.22 with 3 interfaces, Inside, Outside, DMZ. Inside=100, Outside=0, DMZ=98</P><P></P><P>I need to put in a rule to allow a machine from the DMZ (let's say 192.168.100.25) to have access to one machine on the internal network (192.168.25.25), on ports 125 and 325.</P><P></P><P>Would I need two rules that look like this:</P><P></P><P>access-list dmz_access_in extended permit tcp 192.168.100.25 eq 325 host 192.168.25.25 eq 325</P><P>access-list dmz_access_in extended permit tcp 192.168.100.25 eq 125 host 192.168.25.25 eq 125</P><P></P><P>Or is there a better way to do this? Thanks</P><P></P><P></P> Mon, 11 Mar 2019 10:15:08 GMT mwall1 2019-03-11T10:15:08Z https://community.cisco.com/t5/network-security/rule-to-allow-machine-from-dmz-to-internal/m-p/729896#M1004612 <P>Hi all. Here's the scenario:</P><P></P><P>PIX 515 v7.22 with 3 interfaces, Inside, Outside, DMZ. Inside=100, Outside=0, DMZ=98</P><P></P><P>I need to put in a rule to allow a machine from the DMZ (let's say 192.168.100.25) to have access to one machine on the internal network (192.168.25.25), on ports 125 and 325.</P><P></P><P>Would I need two rules that look like this:</P><P></P><P>access-list dmz_access_in extended permit tcp 192.168.100.25 eq 325 host 192.168.25.25 eq 325</P><P>access-list dmz_access_in extended permit tcp 192.168.100.25 eq 125 host 192.168.25.25 eq 125</P><P></P><P>Or is there a better way to do this? Thanks</P><P></P><P></P> Mon, 11 Mar 2019 10:15:08 GMT https://community.cisco.com/t5/network-security/rule-to-allow-machine-from-dmz-to-internal/m-p/729896#M1004612 mwall1 2019-03-11T10:15:08Z https://community.cisco.com/t5/network-security/rule-to-allow-machine-from-dmz-to-internal/m-p/729897#M1004616 <HTML><HEAD></HEAD><BODY><P>get rid of the source ports...</P><P></P><P>access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 325 </P><P>access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 125 </P><P>access-group dmz_access_in in interface DMZ</P><P></P><P>remember, once you do this you deny everything else into the DMZ interface so you probably want something like this</P><P></P><P>access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 325 </P><P>access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 125</P><P>access-list dmz_access_in extended deny ip any 192.168.25.0 255.255.255.0</P><P>access-list dmz_access_in extended permit ip any any</P><P>access-group dmz_access_in in interface DMZ</P></BODY></HTML> Wed, 16 May 2007 13:30:58 GMT https://community.cisco.com/t5/network-security/rule-to-allow-machine-from-dmz-to-internal/m-p/729897#M1004616 acomiskey 2007-05-16T13:30:58Z https://community.cisco.com/t5/network-security/rule-to-allow-machine-from-dmz-to-internal/m-p/729898#M1004618 <HTML><HEAD></HEAD><BODY><P>You need following commands-</P><P></P><P>static (inside,DMZ) 192.168.25.25 192.168.25.25</P><P>access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 325</P><P>access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 125 </P><P>access-group dmz_access_in in interface DMZ</P><P></P><P>Hope that helps.</P><P></P><P>Regards,</P><P>Vibhor.</P></BODY></HTML> Wed, 16 May 2007 13:31:18 GMT https://community.cisco.com/t5/network-security/rule-to-allow-machine-from-dmz-to-internal/m-p/729898#M1004618 vitripat 2007-05-16T13:31:18Z https://community.cisco.com/t5/network-security/rule-to-allow-machine-from-dmz-to-internal/m-p/729899#M1004621 <HTML><HEAD></HEAD><BODY><P>So do I need the Static command, or not? I got 2 answers but they're not exactly saying the same thing...</P><P></P><P>Thanks</P></BODY></HTML> Wed, 16 May 2007 17:11:21 GMT https://community.cisco.com/t5/network-security/rule-to-allow-machine-from-dmz-to-internal/m-p/729899#M1004621 mwall1 2007-05-16T17:11:21Z https://community.cisco.com/t5/network-security/rule-to-allow-machine-from-dmz-to-internal/m-p/729900#M1004623 <HTML><HEAD></HEAD><BODY><P>Yes, as Vibhor wrote, you need the static as well. What I was trying to say is if you create an acl into the dmz to restrict traffic inside, you will also restrict the traffic from the dmz to the outside, so if you don't want to do that you must allow it in the acl. That's the only difference in our acl's.</P></BODY></HTML> Wed, 16 May 2007 17:13:32 GMT https://community.cisco.com/t5/network-security/rule-to-allow-machine-from-dmz-to-internal/m-p/729900#M1004623 acomiskey 2007-05-16T17:13:32Z