Well I think your doing it the only way that comes to mind, but I'm a little confused why the DMZ is able to go anywhere outbound ? That's not a typical thing ( or is it ???) In our case, the DMZ can't do anything but the machine specific task ( DNS can do udp 53 out, Mail can do SMTP out ) By the same token, those machines can only go to the inside on certain things as well. This is meant to prevent us from becoming an attacker if a machine gets hacked ( gasp )
If you lock down your DMZ to only permit machine specific tasks, then you can add away to the bottom because there is not an DENY ip any x.x.x.x, where x.x.x.x is your inside network ,followed by the ip any any that I am assuming your using and that is allowing access to the outside. If you don't want the DMZ to have access to port 80 inside, you could always block source port 80 on the inside from going to the DMZ. This would allow you to use the tcp any any eq www without allowing access inside. Did I miss something or is this what your looking for? Larry -----Original Message----- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Friday, February 01, 2002 7:58 PM To: [EMAIL PROTECTED] Subject: Pix - Comparison - Conduit - Access-list [7:34155] Hi all, I've used conduits for a few years and recently converted my aged mind to access-lists on the Pix. When using conduits on a 3 interface pix for instance: Everything allowed from DMZ to outside by default. Apply conduit from DMZ to inside. Still all traffic would be allowed from DMZ to outside. With access-lists: Everything allowed out from DMZ to outside by default. Access-list applied to dmz in - to allow traffic from DMZ to inside. Now all traffic from DMZ to outside is stopped by this access-list My usual workaround is to add 2 lines to the end of the DMZ access-list denying IP from any to all internal networks, and then permit IP from dmz to any. My only moan is the pain of removing and re-adding these two lines every time you're adding one line during installation/troubleshooting. On top of the fact that it seems to be a bodge. Is there a better way of going about this?? Thanks, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34158&t=34155 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
