Access List

The access-group line would have to occur -after- the access-list line, or else access-group will complain that the access-list does not exist and will drop the access-list statement.

The ACL permits one host in the DMZ, numbered 10.0.0.3, to send certain TCP packets to the one host 1.1.1.1 (where-ever that is).

If 1.1.1.1 is reached through the outside interface, then proceed to the next paragraph; if 1.1.1.1 is the target of a 'static' created on the inside interface, or if 1.1.1.1 is in the source range of a "permit" statement of an ACL named in a "nat (inside) 0 access-list" line, then 10.0.0.3 will be permitted to establish a new connection into the inside interface -- but if 1.1.1.1 is in the address range of the inside interface and there is no 'static' or nat 0 access-list applicable, then the connections towards the higher-security inside interface would be refused. (These static and nat 0 access-list concerns do not apply for traffic going to a lower-security interface.)

The permitted destination TCP ports are 12100, 12101, 12102, 12103,

When a connection is initiated from 10.0.0.3 towards one of those ports at 1.1.1.1, and the security level stuff is acceptable, then the PIX will automatically create a temporary opening in the access controls of the destination interface; this temporary opening will permit the reply traffic. The temporary opening will be very specific, permitting the one destination port at 1.1.1.1 to send tcp traffic back towards whatever the one source port was on 10.0.0.3.

The source IP address that the destination will see in place of 10.0.0.3 will depend upon whether the packet is going to a lower security interface (outside) or a higher security interface (inside), and will depend on which static and nat and global statements have been configured.

Thanks Walter. Your description helped me understand the other access-lists, groups and static commands that we have defined in the firewall.

Paul