Access the Internet from DMZ

bz · ‎12-05-2001

I'm a starter! Okay, one (2.2.2.2) of the servers on the DMZ needs to access the Internet. The server's DNS is pointing to a DNS server (1.1.1.1) on the outside of the PIX. I don't understand why this doesn't work, I thought that everything is allow out by default. <br>Now, when I added 2 access-list: <br>access-list acl_dmz permit udp host 2.2.2.2 host 1.1.1.1 eq 53 <br>access-list acl_dmz permit tcp host 2.2.2.2 any eq 80 <br>I can get out to the Internet. Please advice!!!

engel · ‎12-05-2001

NAT or PAT the 2.2.2.2 to an available IP address at the outside interface, then no need for those access-lists.

turnbull · ‎12-06-2001

I take it these lines were added to an ACL called acl_dmz already bound to the interface.

With a valid NAT translation through the pix from dmz to outside, traffic will flow by default so long as there is no ACL.

Applying the ACL creates an implicit deny at the end of the list.

bz · ‎12-06-2001

Hi, yes there are other ACLs applied to acl_dmz bound to the dmz interface. So, is that mean I have implicitly allow traffic to go out to the Internet?

rrbleeker · ‎12-06-2001

Each Access Control Lists ends with an implicit deny all statement, whether you configure it or not. So, if you do apply an acl to an interface, you need to create an entry for all traffic allowed.