Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX ACL issue - Deny Internal Access to External Network

We are in the process of adding a wireless network to the existing LAN. The requirement is that wireless clients have access to the internet, and occasionally access to the internal webserver. But, at no time should wireless clients be able to access anything on the internal LAN.

So any ACL that blocks out the LAN network would of course block out the gateway, at least that is what has seemed to happen. Here is how the networks are configured:

PIX506 (1) ( - Primary business LAN

PIX506 (2) ( - Wireless Network

To date every ACL I have tried either blocks ALL access, meaning I can not access the 2.0 network, but also the internet. Or I get full access to both the internet and 2.0 network.

What I want is people on the 3.0/24 network to access the internet and one webserver on the 2.0/24 network

Here are two ACLs I have tried last:

access-list 101 permit tcp host

access-list 101 deny tcp

This is the original one I tried which was given to me by some Cisco engineers, yet when this did not work they had no answers on what to do next unfortunately:

access-list 101 permit ip host

access-list 101 deny ip

access-list 101 permit ip any

Am I incorrect in thinking the PIX can do what I want it to? It seems that I should, but I just need to get the ACL down correctly.

New Member

Re: PIX ACL issue - Deny Internal Access to External Network

The acl that the cisco engineers gave you is correct.

Is the inside ip address of the pix on the wireless network

If so, you need to apply acl 101, incoming into the (inside) interface.

Make sure you create the acl 101 in the exact order that those engineers gave you

New Member

Re: PIX ACL issue - Deny Internal Access to External Network is the inside interface to the PIX connected to the wireless network.

I have applied that configuration, except it does not accept subnet If I switch that to the command is entered. At the moment I do have internet access, but I can also access a machine on the internal network, I just go to explorer and do \\ and can open of that machines shares.

But now I have the following:

access-list inside_access_in permit ip any host

access-list inside_access_in permit ip any host

access-list inside_access_in deny ip any

access-list inside_access_in permit ip any any

At the moment I do not have "nat (inside) 0 access-list inside_access_in" and everything seems to work fine. I can access the internet, access the machine at, but can not see or access any other device on the 2.0/24 network which is exactly how I want it.

Mind you I have this set up at the moment at home. Now I just have to switch from DHCP to static on the outside interface and switch from PAT to NAT. I am going to need to be able to access several devices from withing the 2.0/24 network to inside the firewall's 3.0/24 network (wireless controller, etc..) I assume then that this should not cause a problem as the access list was the key to my problems and not anything to do with NAT or PAT, or anything else?

New Member

Re: PIX ACL issue - Deny Internal Access to External Network

if the wireless network should be treated as hostile, why did you decide to make the interface the "inside" interface on the PIX. Shouldn't you make it the outside interace.

CreatePlease login to create content