interface Ethernet0/0 ip address 10.0.0.2 255.255.255.0 ip access-group 100 in ip access-group 101 out half-duplex ! interface Serial0/0 ip address 192.168.0.2 255.255.255.0 ip access-group 102 out ! changes you need to perform ************************** 1.- remove acccess-group 101 out from ethernet0/0 2.- remove entry - permit ip any host 10.0.0.3 - from access-list 100 so it reads: access-list 100 permit ip host 10.0.0.3 any access-list 100 permit icmp host 10.0.0.1 host 192.168.0.1 log-input access-list 100 permit tcp host 10.0.0.1 host 192.168.0.1 log-input access-list 100 deny ip any any 3.- modify access-list 102 so that it reads: access-list 102 permit icmp any any administratively-prohibited log-input access-list 102 permit icmp any any echo log-input access-list 102 permit icmp any any echo-reply log-input access-list 102 permit icmp any any packet-too-big log-input access-list 102 permit icmp any any time-exceeded log-input access-list 102 permit icmp any any traceroute log-input access-list 102 permit icmp any any unreachable log-input access-list 102 permit ip any host 10.0.0.3 access-list 102 deny ip any any also you might want to add these entries at the beginning of the ACL 102 for anti spoofing attacks access-list 102 deny ip 127.0.0.0 0.255.255.255 any access-list 102 deny ip 10.0.0.0 0.0.0.255 any 4.- Apply access list 102 to serial interface on the INBOUND direction ip access-group 102 in 5.- remove the inspection instruction from teh serial interface no ip inspect http_out 6.- Apply inspection to the Ethernet0/0 interface in the Inbound direction ip inspect http_out in 7.- Test by initiating some http, icmp, udp traffic from 10.0.0.3 to outside