Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cisco Pix 525



hopefully my question is fairly easy for someone with more knowledge than me. I have a cisco pix 525. it has multiple subnets on different nic cards and currently and I am hoping to only allow one subnet to talk into the others but not vice versa.


currently subnet a, and subnet b can talk to each other in both directions. how can I block all traffic from subnet a from getting into subnet b while allowing subnet b to do anything it wants to subnet a?


This scenario is setup on internal networks as well as subnets that are full and split tunnel. I would assume it would be identically but if someone could clarify, that would be great.






Community Member

You can do this by setting

You can do this by setting the security levels for the interfaces. Interfaces with higher security levels can pass traffic to interfaces with lower security levels but not vice versa unless explicitly defined. Interfaces with the same security level can pass traffic between each other.

Community Member

Hi Jeff, You can do this with

Hi Jeff,


You can do this with inbound ACL. Try using this.

You can restrict one subnet with that.



Get Free Pre-Sales Technical Support and purchase Networking Hardware Equipment at lowest prices with fast shipment at


Community Member

hi, thanks for your replies.



thanks for your replies. sorry I have been very busy lately.

I am aware of the security levels on the interfaces. they are currently set to 0 on the outside interface, 50 on the lab interface and 100 on the internal interface.

The problem I am having really is using doing hairpinned vpn access. full tunnel has access to the the internal network when connecting to the lab.

You had mentioned to use an ACL. yes. I have tried this blocking tcp and udp. When I try and block stuff, it bricks access to the network for all remote users(me). What specifically is the command you would use to lock it down.


CreatePlease to create content