Cisco Support Community

After an access list is added to the PIX outside interface, inbound traffic is no longer permitted.

Core issue

This configuration previously used conduit statements. If the configuration contains conduits to allow inbound traffic to the internal servers, and then an access list is applied to the outside interface, this overrides all of the conduit statements. One should use either access lists or conduits to permit inbound traffic into the internal (DMZ) networks, but do not use both.


At the end of every access list is an implicit deny ip any any statement. Therefore, if the access list does not explicitly permit inbound traffic, the traffic will be denied by default.

To fix the problem, migrate all of the conduit statements to the access list in the form of permit statements. Then remove the old conduit statements.


For more help with access lists on the PIX, see Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX.

PIX Syslogs

PIX-4-106023: Deny protocol src [inbound-interface]:[src_address/src_port] dst outbound-interface:dst_address/dst_port [type {type}, code {code}] by access_group access-list-name