06-07-2007 04:40 AM - edited 03-05-2019 04:33 PM
Hi, I found that on a PIX 501 I defined a 1 line ACL on inside interface:
access-list acl_inside permit TCP host inside-host host ext-host
and then when I added:
access-group acl_inside in interface inside
the users could not access anything outside of the network.
Why would this be?
Solved! Go to Solution.
06-07-2007 05:11 AM
Hi
If you do not want to restrict traffic from your branch office to any destination then you don't need an access-list on the inside interface.
If you do want to restrict the branch office traffic then yes you will need to add in all the permitted traffic to your access-list.
HTH
Jon
06-07-2007 05:02 AM
Hi
Once you apply an access-list on an interface there is an impicit deny at the end of the access-list.
So by adding that one line access-list you have effectively blocked all traffic except the traffic allowed in your one line. lthough even this line is missing a tcp port number at the of the line.
HTH
Jon
06-07-2007 05:09 AM
Hi, So I should at least add a 2nd line to allow all ip traffic from internal network address to an external network address.
Eg this is a branch office with a VPN tunnel to HQ.
So I should add ACL on inside interface to permit ip from branch office address to HQ network address.
06-07-2007 05:11 AM
Hi
If you do not want to restrict traffic from your branch office to any destination then you don't need an access-list on the inside interface.
If you do want to restrict the branch office traffic then yes you will need to add in all the permitted traffic to your access-list.
HTH
Jon
06-07-2007 05:14 AM
Thanks for your advice.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: