Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
0
Helpful
4
Replies

ACL assiged in interface inside stops traffic

Go to solution
martymailey
Level 1
Level 1

‎06-07-2007 04:40 AM - edited ‎03-05-2019 04:33 PM

Hi, I found that on a PIX 501 I defined a 1 line ACL on inside interface:

access-list acl_inside permit TCP host inside-host host ext-host

and then when I added:

access-group acl_inside in interface inside

the users could not access anything outside of the network.

Why would this be?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to martymailey

‎06-07-2007 05:11 AM

Hi

If you do not want to restrict traffic from your branch office to any destination then you don't need an access-list on the inside interface.

If you do want to restrict the branch office traffic then yes you will need to add in all the permitted traffic to your access-list.

HTH

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-07-2007 05:02 AM

Hi

Once you apply an access-list on an interface there is an impicit deny at the end of the access-list.

So by adding that one line access-list you have effectively blocked all traffic except the traffic allowed in your one line. lthough even this line is missing a tcp port number at the of the line.

HTH

Jon

0 Helpful

Go to solution
martymailey
Level 1
Level 1
In response to Jon Marshall

‎06-07-2007 05:09 AM

Hi, So I should at least add a 2nd line to allow all ip traffic from internal network address to an external network address.

Eg this is a branch office with a VPN tunnel to HQ.

So I should add ACL on inside interface to permit ip from branch office address to HQ network address.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to martymailey

‎06-07-2007 05:11 AM

Hi

If you do not want to restrict traffic from your branch office to any destination then you don't need an access-list on the inside interface.

If you do want to restrict the branch office traffic then yes you will need to add in all the permitted traffic to your access-list.

HTH

Jon

0 Helpful

Go to solution
martymailey
Level 1
Level 1
In response to Jon Marshall

‎06-07-2007 05:14 AM

Thanks for your advice.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card