Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 406
  • Last Modified:


Hi everyone, i have a pix 515 with 4 port switch integrated. I need to limit the internet traffic from inside to outside.
this is my config:

gotten(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list INSIDE-OG-OUTWAN; 4 elements
access-list INSIDE-OG-OUTWAN line 1 deny ip any any (hitcnt=35)
access-list INSIDE-OG-OUTWAN line 2 permit tcp object-group RED-OG any eq domain
access-list INSIDE-OG-OUTWAN line 2 permit tcp any eq domain (hitcnt=0)
access-list INSIDE-OG-OUTWAN line 3 permit udp object-group RED-OG any eq domain
access-list INSIDE-OG-OUTWAN line 3 permit udp any eq domain (hitcnt=0)
access-list INSIDE-OG-OUTWAN line 4 permit tcp object-group RED-OG any eq www
access-list INSIDE-OG-OUTWAN line 4 permit tcp any eq www (hitcnt=0)

But obviously not let me access the Internet

my internet is in eth0 with security 0 "OUTSIDE"
INSIDE-OG-OUTWAN is security 90
and de acl is aplicated in interface INSIDE-OG

1 Solution


The Cisco PIX firewalls and the new Cisco ASA firewalls all use "top-down" processing when checking access-list statements.  When a packet comes into the interface, the firewall will check the packet against the first statement in the access-list.  If it finds a match, the firewall will either allow or deny the packet based on the access-list statement and then it will exit out of the access-list.

So, in looking at your INSIDE-OG-OUTWAN access-list, your very first statement is "deny ip any any".  This statement tells the PIX to deny all IP traffic from any inside host to any outside host.  Notice that this statement is the only statement in the access-list that has been accumulating hits.  This is because this statement is the very first element in your access-list.  So, the PIX will always be able to match this statement and the access-list processing will stop at this point; your other statements will never be checked.

Keep in mind that when you define an access-list and then apply it to an interface, there will always be an implicit deny at the end of the access-list.  This means that if the firewall checks a packet against all of the statements in your access-list and it couldn't find a match, that packet will be dropped.  It is certainly acceptable to explicity configure a "deny ip any any" statement at the end of an access-list but it is not necessary to do so.

In your config, I would remove that "deny ip any any" statement from your INSIDE-OG-OUTWAN access-list.  That should allow the PIX to start checking packets against your domain and www statements in the access-list.

I hope this helps!
puchitoAuthor Commented:
Thanks for the solution... but moust important.. thanks for the explication.


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now