In article , Geof wrote: :I've got a PIX 6.3 with 3 interfaces : outside, inside :(192.168.0.0/24)and dmz(192.168.1.0/24) .
:There a "static (inside,dmz) 192.162.0.0 192.168.0.0 netmask :255.255.255.0 0 0" rule.
:There is no "global(dmz)" rule and no "nat (inside) 0 192.168.0.0 :255.255.255.0"
:My ACL allow outbound trafic from inside hosts to dmz hosts.
:Is the "static" rule enought to allow my inside hosts to connect to the :dmz hosts , or is it mandatory to also have a nat/global(dmz) rule or a :"nat 0" rule ?
The static is enough.
However, you may also wish to add an access-group applied to the DMZ interface. If there isn't one, then return TCP traffic will be allowed to the inside, and when UDP traffic is initiated from the inside then replies will be permitted from the dmz until the connection has been inactive for 30 seconds (time can be configured.) However, PIX 6.3 still has some difficulties figuring out when icmp traffic is "return" traffic, so to be sure that appropriate icmp replies get through, it is safest to allow them in the dmz access-group .