Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL assiged in interface inside stops traffic

Hi, I found that on a PIX 501 I defined a 1 line ACL on inside interface:

access-list acl_inside permit TCP host inside-host host ext-host

and then when I added:

access-group acl_inside in interface inside

the users could not access anything outside of the network.

Why would this be?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: ACL assiged in interface inside stops traffic

Hi

If you do not want to restrict traffic from your branch office to any destination then you don't need an access-list on the inside interface.

If you do want to restrict the branch office traffic then yes you will need to add in all the permitted traffic to your access-list.

HTH

Jon

4 REPLIES
Hall of Fame Super Blue

Re: ACL assiged in interface inside stops traffic

Hi

Once you apply an access-list on an interface there is an impicit deny at the end of the access-list.

So by adding that one line access-list you have effectively blocked all traffic except the traffic allowed in your one line. lthough even this line is missing a tcp port number at the of the line.

HTH

Jon

New Member

Re: ACL assiged in interface inside stops traffic

Hi, So I should at least add a 2nd line to allow all ip traffic from internal network address to an external network address.

Eg this is a branch office with a VPN tunnel to HQ.

So I should add ACL on inside interface to permit ip from branch office address to HQ network address.

Hall of Fame Super Blue

Re: ACL assiged in interface inside stops traffic

Hi

If you do not want to restrict traffic from your branch office to any destination then you don't need an access-list on the inside interface.

If you do want to restrict the branch office traffic then yes you will need to add in all the permitted traffic to your access-list.

HTH

Jon

New Member

Re: ACL assiged in interface inside stops traffic

Thanks for your advice.

110
Views
0
Helpful
4
Replies
CreatePlease login to create content