Symantec Backup Exec LAN to DMZ access through Cisco PIX Firewall

Although there are already a handful of existing internet forums and knowledge base references to this topic, this post is my contribution regarding what has worked well for me. My main source on how to configure Backup Exec to work with firewalls can be found here: http://seer.entsupport.symantec.com/docs/299245.htm

The configuration and settings below are from an actual production environment. The network utilizing this configuration has Backup Exec 12.5 installed on a dedicated backup server on the LAN at 192.168.1.x with an external scsi connected LTO tape drive. The DMZ network 172.16.10.x contains several Windows based web servers. On the backup server, Backup Exec remote agent TCP dynamic port range was configured per Symantec's recommendation.

In Backup Exec select Tools > Options > Network and Security

The relevant PIX code:

ip address dmz 172.16.10.1 255.255.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

<- LAN based backup server static mapping ->
static (inside,dmz) 192.168.1.x 192.168.1.x netmask 255.255.255.255 0 0

<- Backup Exec server and remote agent port ranges ACL ->
access-list 102 permit tcp host 172.16.10.11 host 192.168.1.x range 6101 6106 
access-list 102 permit tcp host 172.16.10.12 host 192.168.1.x range 6101 6106
access-list 102 permit tcp host 172.16.10.13 host 192.168.1.x range 6101 6106
access-list 102 permit tcp host 172.16.10.11 host 192.168.1.x range 10000 10500
access-list 102 permit tcp host 172.16.10.12 host 192.168.1.x range 10000 10500
access-list 102 permit tcp host 172.16.10.13 host 192.168.1.x range 10000 10500

<- Enable ACL ->
access-group 102 in interface dmz

Backup Exec remote agents installed successfully on the web servers via push. A DMZ backup job was then configured and scheduled. 

Here's a screenshot of the DMZ backup job throughput: