Configuration is posted below. The problem that I am having is that it seems that with my static entries those hosts are available to be scanned completely from the outside world. I am pretty sure it has to do with these few lines.
access-list hosting_in permit icmp any any access-list hosting_in permit icmp any any echo access-list hosting_in permit icmp any any echo-reply access-list hosting_in permit tcp any any access-list hosting_in permit udp any any
But the only way i could allow the inside hosts to go out was by using them.
: Written by enable_15 at 00:18:23.714 UTC Thu Oct 27 2005 PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 100basetx interface ethernet3 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 hosting security50 nameif ethernet3 intf3 security6 passwd 2KFQnbNIdI.2KYOU encrypted fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list hosting_in permit tcp any host 38.XXX.XX.11 eq domain access-list hosting_in permit udp any host 38.XXX.XX.11 eq domain access-list hosting_in permit udp any host 38.XXX.XX.12 eq domain access-list hosting_in permit tcp any host 38.XXX.XX.12 eq domain access-list hosting_in permit tcp any host 38.XXX.XX.14 eq https access-list hosting_in permit icmp any any access-list hosting_in permit icmp any any echo access-list hosting_in permit icmp any any echo-reply access-list hosting_in permit tcp any any access-list hosting_in permit udp any any access-list hosting_in permit tcp any host 38.XXX.XX.14 eq smtp access-list hosting_in permit tcp any host 38.XXX.XX.14 eq pop3 access-list hosting_in permit tcp any host 38.XXX.XX.14 eq 3101 access-list hosting_in permit udp any host 38.XXX.XX.14 eq 3101 access-list hosting_in permit tcp any host 38.XXX.XX.37 eq smtp access-list hosting_in permit tcp any host 38.XXX.XX.37 eq pop3 access-list hosting_in permit tcp any host 38.XXX.XX.37 eq imap4 access-list hosting_in permit tcp any host 38.XXX.XX.37 eq 366 access-list hosting_in permit tcp any host 38.XXX.XX.36 eq www access-list hosting_in deny tcp any any range 135 netbios-ssn access-list hosting_in deny udp any any range 135 139 access-list inside_out permit tcp any any access-list inside_out permit icmp any any access-list inside_out permit udp any any access-list inside_in permit tcp any host 38.XXX.XX.13 eq smtp access-list inside_in permit tcp any host 38.XXX.XX.13 eq 3101 access-list inside_in permit tcp any host 38.XXX.XX.13 eq pop3 access-list inside_in permit tcp any host 38.XXX.XX.13 eq 3389 access-list inside_in permit tcp any host 38.XXX.XX.13 eq www access-list inside_in permit tcp any any access-list inside_in permit icmp any any access-list inside_in permit udp any any access-list inside_in permit tcp any host 38.XXX.XX.33 eq 5900 access-list inside_in permit tcp any host 38.XXX.XX.13 eq 8000 access-list inside_in permit tcp any host 38.XXX.XX.13 eq 8010 access-list inside_in permit tcp any host 38.XXX.XX.13 eq 8443 pager lines 24 logging on logging trap debugging logging history debugging mtu outside 1500 mtu inside 1500 mtu hosting 1500 tu intf3 1500 ip address outside 38.XXX.XX.10 255.0.0.0 ip address inside 192.168.0.1 255.255.255.0 ip address hosting 192.168.1.1 255.255.255.0 no ip address intf3 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address hosting no failover ip address intf3 pdm history enable arp timeout 14400 global (outside) 1 interface global (hosting) 1 interface nat (inside) 1 192.168.0.0 255.255.255.0 0 0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (hosting) 1 192.168.1.0 255.255.255.0 0 0 nat (hosting) 1 0.0.0.0 0.0.0.0 0 0 nat (intf3) 1 0.0.0.0 0.0.0.0 0 0 alias (hosting) 192.168.1.20 38.XXX.XX.14 255.255.255.255 static (hosting,outside) 38.XXX.XX.11 192.168.1.11 netmask
255.255.255.255 0 0 static (hosting,outside) 38.XXX.XX.12 192.168.1.12 netmask 255.255.255.255 0 0 static (hosting,outside) 38.XXX.XX.14 192.168.1.20 netmask 255.255.255.255 0 0 static (inside,outside) 38.XXX.XX.13 192.168.0.10 netmask 255.255.255.255 0 0 static (inside,outside) 38.XXX.XX.33 192.168.0.101 netmask 255.255.255.255 0 0 static (hosting,outside) 38.XXX.XX.36 192.168.1.36 netmask 255.255.255.255 0 0 static (hosting,outside) 38.XXX.XX.37 192.168.1.37 netmask 255.255.255.255 0 0 access-group inside_out in interface outside access-group inside_in in interface inside access-group hosting_in in interface hosting route outside 0.0.0.0 0.0.0.0 38.XXX.XX.9 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+