Hi

I have a little pb with my pix.

When i open the all port between my dmz and the outside(dmz-->outside) the computer of dmz can access to the internet but when i configure the access list it' s not ok.

Please help me!!!!

My configurution is :

PIX Version 7.0(4)

!

hostname pixfirewall

domain-name default.domain.invalid

enable password xxx

names

name 192.168.38.201 SRV-DC1

name 192.168.38.205 SRV-ANTIVIRUS

name 192.168.38.203 SRV-MAIL

name 192.168.38.202 SRV-DC2

name 192.168.40.10 ISVW

!

interface Ethernet0

nameif Outside

security-level 0

ip address 192.168.2.50 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.39.251 255.255.255.0

!

interface Ethernet2

nameif DMZ

security-level 30

ip address 192.168.40.254 255.255.255.0

!

passwd HNMNAKnXWPPjlMLC encrypted

ftp mode passive

access-list Outside_access_in extended deny ip any any

access-list DMZ_access_in extended permit tcp any eq domain any eq domain

access-list DMZ_access_in extended permit udp any eq domain any eq domain

access-list DMZ_access_in extended permit tcp any eq 8080 any eq 8080

access-list DMZ_access_in extended permit tcp any eq www any eq www

access-list DMZ_access_in extended permit icmp any any

access-list DMZ_access_in extended deny ip any any

access-list inside_access_in extended permit icmp 192.168.38.0 255.255.255.0 any inactive

access-list inside_access_in extended permit ip 192.168.38.0 255.255.255.0 any inactive

access-list inside_access_in extended permit icmp any any inactive

access-list inside_access_in extended deny ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu Outside 1500

mtu DMZ 1500

failover

monitor-interface inside

monitor-interface Outside

monitor-interface DMZ

asdm image flash:/asdm

no asdm history enable

arp timeout 14400

global (Outside) 1 192.168.2.32-192.168.2.39 netmask 255.255.255.0

global (DMZ) 1 192.168.40.20-192.168.40.50 netmask 255.255.255.0

nat (inside) 1 192.168.38.0 255.255.255.0

nat (DMZ) 1 192.168.40.0 255.255.255.0

access-group inside_access_in in interface inside

access-group Outside_access_in in interface Outside

access-group DMZ_access_in in interface DMZ

route inside 192.168.38.0 255.255.255.0 192.168.39.254 1

route Outside 0.0.0.0 0.0.0.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username admin password wq5THO2pQ8Zphhhk encrypted privilege 15

http server enable

http 192.168.38.0 255.255.255.0 inside

http 192.168.40.0 255.255.255.0 DMZ

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.39.252-192.168.39.254 inside

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxx

: end