"Out of Practice" question regarding DMZ

[patkremer]

Looking into buying and installing a PIX in a small business... I haven't touched one in quite a long time and don't have one available to play on, so I need to ask:
How do I correctly set up an access list for 2 machines in the DMZ. I know it has to be just a simple syntax issue, but I want to make sure of my design before I go drop big bucks and find out my security model was mistaken

Assuming I have one of the interfaces on the firewall as DMZ, 192.168.0.1

My goal is to allow only the following services:
Server: mailsrv - POP3 and SMTP
internal 192.168.0.2
external 10.0.0.220
Server: webserv - HTTP, and Oracle Forms on 2222
internal 192.168.0.3
external 10.0.0.222


Web first:
static (dmz, outside) 10.0.0.222 192.168.0.3 255.255.255.255
access-list acl_out permit tcp any host 10.0.0.222 eq 80
access-list acl_out permit tcp any host 10.0.0.222 eq 2222
access-group acl_out in interface outside

Now, I also need to have 10.0.0.220 pass through to 192.168.0.2 for the mail server

But I can't assign more than one access group to an interface, or so the help documentation says.

Or do I include the entire access list together?
static (dmz, outside) 10.0.0.220 192.168.0.2 255.255.255.255
static (dmz, outside) 10.0.0.222 192.168.0.3 255.255.255.255
access-list acl_out permit tcp any host 10.0.0.222 eq 80
access-list acl_out permit tcp any host 10.0.0.222 eq 2222
access-list acl_out permit tcp any host 10.0.0.220 eq 25
access-list acl_out permit tcp any host 10.0.0.220 eq 110
access-group acl_out in interface outside

Is that how it works?

Thanks in advance

 

[jela]

Don't know your exact Pix type and capacity but I really encourage you to install version 6.0.1 with PDM (Pix Device Manager). This takes about 20 minutes but saves 40 minutes on only this task...

 

[Bluecrack]

Yes, you can combine the access list statements needed for both servers into a single access list and apply the list to the outside interface.

Bluecrack