«

I'm trying to setup my company firewall to allow connections that is
described as:

OUTSIDE IPs are: A and B
These are NATed to the INSIDE and the DMZ

The firewall should operate as followed:
OUTSIDE to DMZ allow SMTP
OUTSIDE to INSIDE allow SMTP and HTTPS
DMZ to INSIDE allow LDAP and SMTP

All traffic going from INSIDE to DMZ, INSIDE to OUTSIDE, and DMZ to
OUTSIDE is permitted.

After reading the Cisco ASA and PIX Firewall Handbook, I created 6
access lists; an Inbound and an Outbound for each interface. As I
understand it, the Inbound access list for the DMZ interface controls
connections originating from the DMZ to the INSIDE as well as
connections originating from OUTSIDE to the DMZ, which is very
confusing. This didn't work, despite the logic being correct. Every
behavior was correct except that I couldn't access OUTSIDE from DMZ on
any port. The security levels listed from lowest to highest are
OUTSIDE->DMZ->INSIDE.

Then, I decided to only have 2 access lists. One would permit SMTP and
HTTPS from A to the INSIDE address and it would also permit SMTP from B
to the DMZ address. That one was applied to the OUTSIDE interface on
the Inbound traffic. The other access list would Allow LDAP and SMTP
from the DMZ to the INSIDE and at the same time take on the role of the
outbound access list and allow HTTP, HTTPS, SMTP, and DOMAIN from the
DMZ to the OUTSIDE. This access list was applied to the DMZ interface
on the Inbound traffic.

My question is: How is it possible for the Inbound access list on the
DMZ interface to affect the Outbound traffic? If I took the lines that
explicitly allow outbound traffic from the DMZ to the OUTSIDE off the
DMZ access list, outbound requests break.

Any help or insight would be very appreciated.

Vince

Sounds like you are using the PDM to configure it. What I have found
out that it is usually good idea to look at the running configuration
when trying to explain why certain things don't work the way I would
expect them.

My suggestion would be to post your running config and I'm sure someone
will reply back with an explaination.

HTH,

Shahid

Shahid, thanks for the reply. I'm not using the PDM. I'm accessing
the pix via CLI. I'll post my config when I get back to my office.
However, the thing I'm most curious about is this. Can an ACL applied
to the inbound traffic of an interface affect the outbound connections
of that interface? If I create an outboand ACL allowing my DMZ to
access the internet and apply that to the outbound traffic of the DMZ
interface, it does nothing. However, if I put the same lines into the
inbound ACL and apply the inbound ACL to the inbound traffic of the DMZ
interface, the DMZ is able to access the internet. Strange behaviour I
believe.

Vince