hell,
in pix 6.0 configutarion guide i found this:
" In the next example, dmz1 interface users are restricted from web browsing on other interfaces, but one host at 192.168.1.2 has web access. Put the port you want to restrict users from after the destination address. The following example shows these commands: access-list acl_dmz1 deny tcp any any eq www access-list acl_dmz1 deny tcp host 192.168.1.2 any eq www access-group acl_dmz1 in interface dmz1 "
i do not understand why in second access-list is 'deny' if the discription tells that user from 192.168.1.2 has web access? i thought that there shuld be 'permit'!