Access list to allow access to the Internet from remote site

Unanswered Question
Jul 31st, 2008


I have a subnet in a remote site which I am trying to allow access to the Internet via our head office site.

I want to prevent this subnet accessing anything in the head office network ( except for the PIX obviously.

I put an inbound ACL on the WAN interface of our head office router which permits the remote subnet to access the LAN interface of our PIX at head office.

It works because I can ping the PIX from that subnet, but thats about all I can do. I cant get to the Internet (cant ping by name or IP) and I am at a loss for why this is the case.

When I look at IP access-accounting (or similar) it tells me that it is denying access to the IP addresses of internet DNS servers I am using, so I am assuming the ACL is too restrictive.

Also, If there is no ACL, this works perfectly (except that the remote subnet has full access to head office).

Any help is appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Thu, 07/31/2008 - 19:03

that is because at the end of each ACL there is an **implicit DENY**

so try to put another line to the end of your ACL like

permit any any

evry thing will work

HOWEVER you dont want the remot site to use the internal netwok so if the internal network (i mean the HQ) accessable through the router

just add a deny statment

so ur access-list shoud be like but not exactly only example

access-list 100 deny ip (remote net) (remote nt subnet) 0.15.255

access-list 100 permit ip any any

in this manner u put what u wanna deny first then permit any

unless u wanna permit only spisific things which is more secur in this case u put in ur ACL what u wanna permit exactly then deny any

but try the above example

and ur problem again because there is implicit deny all at the end of each ACL group u need to put a permit statment to allow the traffic

good luck

Please, rate if helpful

Anonymous (not verified) Thu, 07/31/2008 - 21:11

So what you are saying is to put an ACL along the lines of

deny ip (remote network) (remote mask) (HO Network) (HO Mask)

permit ip any any

This will block the specific remote subnet accessing our HO network, but allow the other subnets to access HO.

Doesn't this cause a problem with our pix being in the list of denied IP addresses.. or it doesn't matter because the clients are not talking to the pix, they are talking through it?

Thanks very much, it seems like this might be the answer!



Marwan ALshawi Thu, 07/31/2008 - 21:17

to make sure the users have connectivity to ur pix also because i have no i dea about ur addresing to the following

first line

permit ip (remote network)(remote mask) host(pix ip address)


deny ip (remote network) (remote mask) (HO Network) (HO Mask)

permit ip any any

this way u will make sure the users have connectivity with pix

goos luck

please, if helpful Rate

Anonymous (not verified) Thu, 07/31/2008 - 21:12

dinesh.das Thu, 07/31/2008 - 21:12

I think you can do it another way to also, apply acl for your remote network on HO WAN router inbound direction..

It should be like

Access-list extended deny ip any eq www

Access-list extended deny ip any eq http

Access-list extended permit ip any any eq www

Access-list extended permit ip any any eq http

Access-list extended deny any any

Anonymous (not verified) Sun, 08/03/2008 - 20:03

Thank you, your way of thinking to deny the specific ranges accessing HO, then permit everything else, has worked.

We tested this and the Internet access is fine but there is no access to the head office network, which is exactly what we were trying to accomplish.

Thanks again,



This Discussion