Will this block everything else or do we need to add the deny ip any any at the end?

Thanks for the quick response!

Molinek.

It won't except the NAT statement that you have here and I have to traffic at all if I enter the:

access-group inside_out in interface inside

I have to enter it with "outside" to get traffic flowing. See below:

PUBLIC-FW-4THFL# config t

PUBLIC-FW-4THFL(config)# clear access-list ACL-OUT

PUBLIC-FW-4THFL(config)# access-list inside_out permit tcp any any eq 80

PUBLIC-FW-4THFL(config)# access-list inside_out permit tcp any any eq 443

PUBLIC-FW-4THFL(config)# access-group inside_out in interface inside

PUBLIC-FW-4THFL(config)# clear nat

PUBLIC-FW-4THFL(config)# sh nat

PUBLIC-FW-4THFL(config)# nat (inside) 1 inside_out

ERROR: invalid IP address

Usage: [no] nat [()] [

[dns] [outside]

[ [emb_limit> []]]]

[no] nat [(if_name)] 0 [access-list [outside]]

PUBLIC-FW-4THFL(config)# nat (inside) 1 access-list inside_out

WARNING: access-list protocol or port will not be used

ERROR: invalid nat ID, <1>, with access-list

Usage: [no] nat [()] [

[dns] [outside]

[ [emb_limit> []]]]

[no] nat [(if_name)] 0 [access-list [outside]]

PUBLIC-FW-4THFL(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0

PUBLIC-FW-4THFL(config)# wr t

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname PUBLIC-FW-4THFL

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inside_out permit tcp any any eq www

access-list inside_out permit tcp any any eq https

pager lines 24

logging history errors

mtu outside 1500

mtu inside 1500

ip address outside XX.XXX.XXX.XX 255.255.255.240

ip address inside 10.0.1.254 255.255.255.0

ip audit name Protection attack action alarm drop reset

ip audit interface outside Protection

ip audit interface inside Protection

ip audit info action alarm

ip audit attack action alarm

ip audit signature 2004 disable

pdm history enable

arp timeout 14400

The PIX (6.3.1) would not take that "nat (inside) 1 access-list inside_out" command. But, I got it to work like this:

access-list inside_out permit tcp any any eq www

access-list inside_out permit tcp any any eq https

access-list inside_out permit udp any any eq 4500

access-list inside_out permit udp any any eq 53

access-list inside_out deny tcp 10.0.1.0 255.255.255.0 any range 1 finger

access-list inside_out deny tcp 10.0.1.0 255.255.255.0 any range 81 442

access-list inside_out deny tcp 10.0.1.0 255.255.255.0 any range https 65000

access-list inside_out deny udp 10.0.1.0 255.255.255.0 any range 1 4499

access-list inside_out deny udp 10.0.1.0 255.255.255.0 any range 4501 10000

pager lines 24

logging on

logging buffered errors

logging history errors

mtu outside 1500

mtu inside 1500

ip address outside 12.152.202.98 255.255.255.240

ip address inside 10.0.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Thanks for the help, you pointed me in the right direction.