pix ver 6.3 Access list

Unanswered Question
Oct 25th, 2007

Thank you for taking the time to read this post. I'll admit up front I'm just starting working on the PIX.

I need to restrict a range of IP's to only go to one address on our network.

I created a new address pool and a new vpngroup which pulls the IP address from the new pool. ( /28)

Below is the first two lines for the ACL that is applied to inbound traffic on the inside interface.

access-list inbound permit ip host

access-list inbound deny ip any

Shouldn't line 2 stop traffic from any other source destined for /28? Or do I have something backwards? I ask as I can still access other network resources when I log in using the new group.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
fedefalchi Thu, 10/25/2007 - 10:45


let's see if I understood...

Everything works, right?

Your doubt is how you can access others IP address or other services that were not to be accessed by the address pool?

Note that the access to the pool is very permissive (permit ip).

scootertgm Thu, 10/25/2007 - 11:21

The exsisting VPN groups work fine. The new group allows me to log in, but gives me too much access to the network. I can access other IP addresses on the network rather than just the one.

Once I get the ACL working which limits to the one IP address, I get more restrictive with the ports.

fedefalchi Thu, 10/25/2007 - 11:45

I don't understand anything else.

Your LAN is or

Execute the command show "access-list" and look for "hit-counts" you will see which access-list are getting access.

scootertgm Thu, 10/25/2007 - 11:50

The address on the LAN that the external user needs to access is The is the range of addresses given the to external users when they connect to the PIX VPN.

fedefalchi Thu, 10/25/2007 - 13:00

Hi scootertgm,

I don't know how your configuration it's work but the access-list is wrong.

You need this:

access-list inbound permit tcp host eq (service_you_need)

access-list inbound deny ip any

Because, you have the VPN tunel and the addresses need access the addresses. Verify all services they need acccess and create a object-group to be more easy.

If you must allow the addresses of the VPN to access more resources on your network don't forget the minimum privileges and use "permit ip" only for their last option.

scootertgm Thu, 10/25/2007 - 13:23

I changed the access list line 1-4 to reflect the following:

access-list inbound permit tcp host eq www

access-list inbound permit udp host eq www

access-list inbound permit udp host eq 44818

access-list inbound deny ip any

Below shows my vpn adapter is getting the correct ip address:

Connection-specific DNS Suffix . : xxxxxx

IP Address. . . . . . . . . . . . :

Subnet Mask . . . . . . . . . . . :

Default Gateway . . . . . . . . . :


I still am able to access resources on the network other than just the specified address.

jaravinthan Thu, 10/25/2007 - 23:24


where is this ACL applied? i eman in which interface on what direction is this applied.

Practice is to apply the ACL blocking at the source. meaning apply te ACL in the interface in which the users will come in.

pjhenriqs Fri, 10/26/2007 - 00:27

I think you just have your access-list applied to the wrong place.

The VPN group pool ( is coming from the outside interface so you should apply the access-list on that interface (inbound). If you want to limit what an user on your network can access on the remote VPN user then you would use your example (I'm not sure what it is that you want).

Also verify that if you are not bypassing the access-lists, which is the default configuration when you do a remote/site-to-site VPN.

Let me know if this helps.



scootertgm Fri, 10/26/2007 - 06:11

The access list is applied to the inside interface on the inbound direction.

It's not a site-to-site vpn but rather a client based VPN.

If I am understanding, I should create a second ACL and apply it to the outside interface to restrict where the user can go?

scootertgm Wed, 10/31/2007 - 10:07

I tried appling the ACL on the outside interface inbound, however it still did not block the traffic.

At this point I am having to restrict the traffic at the layer three switch on the next hop.


This Discussion