Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL for Local Lan to Internet


i would filter traffic of my client on local lan to access to internet only this protocol: http, https and dns query (only from IP

I have try to configure acl in my pix and this is my sample configuration , but it not work.


: Saved

: Written by enable_15 at 19:04:43.669 GMT Wed Sep 28 2005

PIX Version 7.0(2)


name IperRouter

name IperSwitch1

name RouterISPTelecom

name LocalLAN


interface Ethernet0

description Interfaccia Interna LOCAL

nameif inside

security-level 100

ip address


interface Ethernet1

description Interfaccia Esterna PUBBLIC

nameif outside

security-level 0

ip address


enable password xxxx

passwd xxxx

hostname IperPIX


ftp mode passive

clock timezone GMT 1

object-group service USER-SERVICE tcp

port-object eq www

port-object eq domain

port-object eq https

access-list inside_out extended permit tcp any object-group USER-SERVICE

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

monitor-interface inside

monitor-interface outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

access-group inside_out in interface inside

route outside RouterISPTelecom 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username xxx password xxx

privilege 15

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet inside

telnet timeout 60

ssh timeout 5

console timeout 0


class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp


service-policy global_policy global


: end


  • Other Security Subjects
New Member

Re: ACL for Local Lan to Internet


u mean to say should be goin online with object-group USER-SERVICE rite, then this would help

#access-list inside_out extended permit tcp host any object-group USER-SERVICE


Re: ACL for Local Lan to Internet

I think you mixed up UDP 53 (DNS query) with DNS zone transfer TCP 53. Thats why this does not work !!

Add this line to your Access-list:

access-list inside_out extended permit udp any eq 53

Do not forget to remove zone transfer TCP 53 in the objets group.