In Figure
, the ACL
acl_inside is applied to the inside interface. The ACL
acl_inside denies HTTP connections from an internal
network, but lets all other IP traffic through. Applying an ACL to the inside
interface restricts internal users from establishing outside web connections.
 |
NOTE:
The internal network addresses, 10.0.0.0, are dynamically translated
to the range 192.168.0.20 through 192.168.0.254 to allow outbound
connections.
|
In Figure
, the IP
address of the web server is translated to an outside IP address of
192.168.0.11. The ACL acl_outside is applied to traffic inbound to the outside
interface. The ACL acl_outside permits HTTP connections from the Internet to a
public Internet web server, 192.168.0.11. All other IP traffic is denied access
to the DMZ or inside networks.
In Figure
, the web server
is statically translated from 172.16.0.2 to 172.18.0.17. The ACL acl_partner is
applied to traffic inbound to the partnernet interface. The ACL acl_partner
permits Web connections from the hosts on network 172.18.0.0/24 to the DMZ web
server via its statically mapped address, 172.18.0.17. All other traffic from
the Partner network is denied.
In the second scenario in Figure
, the client on
the DMZ is trying to connect to the mail server on the inside network. The mail
server IP address is statically translated to 172.16.0.11 by the PIX Security
Appliance. The ACL acl_dmz is applied to traffic inbound to the DMZ interface.
The ACL acl_dmz permits the host 172.16.0.4 mail access to the internal mail
server on the inside interface via the statically mapped address of the mail
server, 172.16.0.11. All other traffic originating from the DMZ network is
denied.