Posted on 2008-11-08
Last Modified: 2012-05-05
Hi everyone, i have a pix 515 with 4 port switch integrated. I need to limit the internet traffic from inside to outside.
this is my config:

gotten(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list INSIDE-OG-OUTWAN; 4 elements
access-list INSIDE-OG-OUTWAN line 1 deny ip any any (hitcnt=35)
access-list INSIDE-OG-OUTWAN line 2 permit tcp object-group RED-OG any eq domain
access-list INSIDE-OG-OUTWAN line 2 permit tcp any eq domain (hitcnt=0)
access-list INSIDE-OG-OUTWAN line 3 permit udp object-group RED-OG any eq domain
access-list INSIDE-OG-OUTWAN line 3 permit udp any eq domain (hitcnt=0)
access-list INSIDE-OG-OUTWAN line 4 permit tcp object-group RED-OG any eq www
access-list INSIDE-OG-OUTWAN line 4 permit tcp any eq www (hitcnt=0)

But obviously not let me access the Internet

my internet is in eth0 with security 0 "OUTSIDE"
INSIDE-OG-OUTWAN is security 90
and de acl is aplicated in interface INSIDE-OG

Question by:puchito
    LVL 2

    Accepted Solution



    The Cisco PIX firewalls and the new Cisco ASA firewalls all use "top-down" processing when checking access-list statements.  When a packet comes into the interface, the firewall will check the packet against the first statement in the access-list.  If it finds a match, the firewall will either allow or deny the packet based on the access-list statement and then it will exit out of the access-list.

    So, in looking at your INSIDE-OG-OUTWAN access-list, your very first statement is "deny ip any any".  This statement tells the PIX to deny all IP traffic from any inside host to any outside host.  Notice that this statement is the only statement in the access-list that has been accumulating hits.  This is because this statement is the very first element in your access-list.  So, the PIX will always be able to match this statement and the access-list processing will stop at this point; your other statements will never be checked.

    Keep in mind that when you define an access-list and then apply it to an interface, there will always be an implicit deny at the end of the access-list.  This means that if the firewall checks a packet against all of the statements in your access-list and it couldn't find a match, that packet will be dropped.  It is certainly acceptable to explicity configure a "deny ip any any" statement at the end of an access-list but it is not necessary to do so.

    In your config, I would remove that "deny ip any any" statement from your INSIDE-OG-OUTWAN access-list.  That should allow the PIX to start checking packets against your domain and www statements in the access-list.

    I hope this helps!

    Author Closing Comment

    Thanks for the solution... but moust important.. thanks for the explication.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now