https://community.cisco.com/t5/network-security/pix-acl-question/m-p/605220#M499108 <P>hi,</P><P></P><P>im a newbie to using a pix firewall and i have inherited a 525 and would like someone to help point me in the right direction for what my company wants. We have a webserver in our dmz that now needs to communicate with microsofts active directory protocols that are on the inside interface. I have the ports that need to be used but I must confess I'm a bit stuck with where to go now. </P><P>Is it simply a matter of creating a new acl from the dmz --&gt; inside?</P><P></P><P>Any Help would be great. </P><P></P><P>Thanks,</P><P>Mike</P> Fri, 21 Feb 2020 09:04:03 GMT miketumolo 2020-02-21T09:04:03Z https://community.cisco.com/t5/network-security/pix-acl-question/m-p/605220#M499108 <P>hi,</P><P></P><P>im a newbie to using a pix firewall and i have inherited a 525 and would like someone to help point me in the right direction for what my company wants. We have a webserver in our dmz that now needs to communicate with microsofts active directory protocols that are on the inside interface. I have the ports that need to be used but I must confess I'm a bit stuck with where to go now. </P><P>Is it simply a matter of creating a new acl from the dmz --&gt; inside?</P><P></P><P>Any Help would be great. </P><P></P><P>Thanks,</P><P>Mike</P> Fri, 21 Feb 2020 09:04:03 GMT https://community.cisco.com/t5/network-security/pix-acl-question/m-p/605220#M499108 miketumolo 2020-02-21T09:04:03Z https://community.cisco.com/t5/network-security/pix-acl-question/m-p/605221#M499110 <HTML><HEAD></HEAD><BODY><P>Hello miketumolo, </P><P></P><P>You are correct. The acl that is created will be on the dmz interface. As that traffic is permitted, the return traffic will be allowed back via the ASA so you don't have to do anything on the inside interface.</P><P></P><P>Here is what the ACLs elements will look like.</P><P>access-list dmz_acl permit tcp host webserver host ADserver eq portnumber</P><P></P><P>access-group dmz_acl in interface dmz</P><P></P><P></P><P>Hope that helps! If so, please rate.</P><P></P><P>Thanks</P></BODY></HTML> Mon, 24 Jul 2006 17:56:02 GMT https://community.cisco.com/t5/network-security/pix-acl-question/m-p/605221#M499110 hemendoz 2006-07-24T17:56:02Z https://community.cisco.com/t5/network-security/pix-acl-question/m-p/605222#M499112 <HTML><HEAD></HEAD><BODY><P>Be aware, because you are going from a lower security interface (DMZ) to a higher security interface (inside) you also need a static next to the ACL.</P><P>If you want to make the AD server available without NAT on the DMZ, use;</P><P>static (inside,dmz) <IP address="" internal="" server=""> <SAME ip="" address="" internal="" server="" netmask="" mask=""></SAME></IP></P><P></P><P>If you want to nat the AD server, use;</P><P></P><P>static (inside,dmz) <RESERVED ip="" address="" on="" dmz=""> <IP address="" internal="" server="" netmask="" mask=""></IP></RESERVED></P><P></P><P></P></BODY></HTML> Tue, 25 Jul 2006 06:36:39 GMT https://community.cisco.com/t5/network-security/pix-acl-question/m-p/605222#M499112 koksm 2006-07-25T06:36:39Z