Hello,

I was under the impression that there would be an implicit deny at end of the firewall access list but my tests show that there is not.  For example I have setup a one-to-one NAT for an internal server and emabled DMZ forwarding.  Immediately after I did this I used a port scan tool and confirmed *al* ports on this server were open to the Internet.

In order to open just one port I had to create to rules.  The first rule allows Internet traffic to the one port I need and the second rule denys all other traffic.

With these two rules I am able to get my desired securoty config but it also means that there is no implicit deny in the firewall for one-to-one NAT hosts?  Does this make sense?

Thanks,