ACL assiged in interface inside stops traffic

Answered Question
Jun 7th, 2007

Hi, I found that on a PIX 501 I defined a 1 line ACL on inside interface:

access-list acl_inside permit TCP host inside-host host ext-host

and then when I added:

access-group acl_inside in interface inside

the users could not access anything outside of the network.

Why would this be?

Correct Answer by Jon Marshall about 9 years 8 months ago

Hi

If you do not want to restrict traffic from your branch office to any destination then you don't need an access-list on the inside interface.

If you do want to restrict the branch office traffic then yes you will need to add in all the permitted traffic to your access-list.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 06/07/2007 - 05:02

Hi

Once you apply an access-list on an interface there is an impicit deny at the end of the access-list.

So by adding that one line access-list you have effectively blocked all traffic except the traffic allowed in your one line. lthough even this line is missing a tcp port number at the of the line.

HTH

Jon

martymailey Thu, 06/07/2007 - 05:09

Hi, So I should at least add a 2nd line to allow all ip traffic from internal network address to an external network address.

Eg this is a branch office with a VPN tunnel to HQ.

So I should add ACL on inside interface to permit ip from branch office address to HQ network address.

Correct Answer
Jon Marshall Thu, 06/07/2007 - 05:11

Hi

If you do not want to restrict traffic from your branch office to any destination then you don't need an access-list on the inside interface.

If you do want to restrict the branch office traffic then yes you will need to add in all the permitted traffic to your access-list.

HTH

Jon

Actions

This Discussion