ACL assiged in interface inside stops traffic

Answered Question
Jun 7th, 2007
User Badges:

Hi, I found that on a PIX 501 I defined a 1 line ACL on inside interface:


access-list acl_inside permit TCP host inside-host host ext-host


and then when I added:


access-group acl_inside in interface inside


the users could not access anything outside of the network.


Why would this be?

Correct Answer by Jon Marshall about 10 years 2 weeks ago

Hi


If you do not want to restrict traffic from your branch office to any destination then you don't need an access-list on the inside interface.


If you do want to restrict the branch office traffic then yes you will need to add in all the permitted traffic to your access-list.


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 06/07/2007 - 05:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Once you apply an access-list on an interface there is an impicit deny at the end of the access-list.


So by adding that one line access-list you have effectively blocked all traffic except the traffic allowed in your one line. lthough even this line is missing a tcp port number at the of the line.


HTH


Jon

martymailey Thu, 06/07/2007 - 05:09
User Badges:

Hi, So I should at least add a 2nd line to allow all ip traffic from internal network address to an external network address.

Eg this is a branch office with a VPN tunnel to HQ.

So I should add ACL on inside interface to permit ip from branch office address to HQ network address.

Correct Answer
Jon Marshall Thu, 06/07/2007 - 05:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


If you do not want to restrict traffic from your branch office to any destination then you don't need an access-list on the inside interface.


If you do want to restrict the branch office traffic then yes you will need to add in all the permitted traffic to your access-list.


HTH


Jon

Actions

This Discussion