Hi everyone, i have a pix 515 with 4 port switch integrated. I need to limit the internet traffic from inside to outside.
this is my config:

gotten(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list INSIDE-OG-OUTWAN; 4 elements
access-list INSIDE-OG-OUTWAN line 1 deny ip any any (hitcnt=35)
access-list INSIDE-OG-OUTWAN line 2 permit tcp object-group RED-OG any eq domain
access-list INSIDE-OG-OUTWAN line 2 permit tcp any eq domain (hitcnt=0)
access-list INSIDE-OG-OUTWAN line 3 permit udp object-group RED-OG any eq domain
access-list INSIDE-OG-OUTWAN line 3 permit udp any eq domain (hitcnt=0)
access-list INSIDE-OG-OUTWAN line 4 permit tcp object-group RED-OG any eq www
access-list INSIDE-OG-OUTWAN line 4 permit tcp any eq www (hitcnt=0)

But obviously not let me access the Internet

my internet is in eth0 with security 0 "OUTSIDE"
INSIDE-OG-OUTWAN is security 90
and de acl is aplicated in interface INSIDE-OG

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.



The Cisco PIX firewalls and the new Cisco ASA firewalls all use "top-down" processing when checking access-list statements.  When a packet comes into the interface, the firewall will check the packet against the first statement in the access-list.  If it finds a match, the firewall will either allow or deny the packet based on the access-list statement and then it will exit out of the access-list.

So, in looking at your INSIDE-OG-OUTWAN access-list, your very first statement is "deny ip any any".  This statement tells the PIX to deny all IP traffic from any inside host to any outside host.  Notice that this statement is the only statement in the access-list that has been accumulating hits.  This is because this statement is the very first element in your access-list.  So, the PIX will always be able to match this statement and the access-list processing will stop at this point; your other statements will never be checked.

Keep in mind that when you define an access-list and then apply it to an interface, there will always be an implicit deny at the end of the access-list.  This means that if the firewall checks a packet against all of the statements in your access-list and it couldn't find a match, that packet will be dropped.  It is certainly acceptable to explicity configure a "deny ip any any" statement at the end of an access-list but it is not necessary to do so.

In your config, I would remove that "deny ip any any" statement from your INSIDE-OG-OUTWAN access-list.  That should allow the PIX to start checking packets against your domain and www statements in the access-list.

I hope this helps!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
puchitoAuthor Commented:
Thanks for the solution... but moust important.. thanks for the explication.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.