Many thanks for your reply, please find attached my config.

So, you're trying to access the DMZ from the inside?

I would add the following:

access-list nonat extended permit ip 10.1.0.0 255.255.255.0 10.1.10.0 255.255.255.0

nat (inside) 0 access-list nonat

I would also recommend adding an ACL to the inside interface to restrict the outbound access.

eddie,

with access-list bound to the inside int, i would still need to apply a 'permit ip any any' on the second line would i not?

The access-list I posted for you is not being bound to an interface. This is a nat exemption ACL which is telling the PIX to not perform NAT on traffic flowing from the inside to the DMZ network.

What I was suggesting was creating another ACL and applying this to the inside interface of the pix via 'access-group in interface inside' in order to restrict outbound traffic to the DMZ and the Internet for security reasons. It is always best to permit only those services that are necessary and no more. This means never using 'permit ip any any' statements.

eddie, many thanks.

I am only using this config to test for access between the inside/dmz and vice versa, once this has been established i will alter the config to only allow smtp as a mail server will be placed on the dmz.

Did you see my original config?

can you please tell me what an ACL would look like?

kind regards.

many thanks for your reply, i have attached a copy of my config to my last reply.

kind regards.

thanks,

i have tried that and with an access-list bound to the inside but didnt work, it blocked traffic from inside to outside.

i am missing something...

please see attached test config.

Hi,

please try to change the following:

static (inside,dmz) 10.1.10.2 10.1.10.2 netmask 255.255.255.255 0 0

to:

static (inside,dmz) 10.1.0.0 10.1.0. netmask 255.255.255.0

Also: try this without using an inside ACL at first. Once you have it running than you can move on to applying ACL as you see fit.

rgds,

etienne, many thanks

I will give it a try.

regards.