Showing results for 
Search instead for 
Did you mean: 

PIX -- Filtering outbound traffic?

Level 1
Level 1

Hello experts,

I am trying to filter some outbound traffic but becoming confused!

If  I have a network on the DMZ interface, eg, by default  the implicit rules allow all traffic on this network to the outside  interface but deny access to the inside interface.

If I want to block an address in the DMZ from outside access I can use....

access-list inside_access_in extended deny ip host any

.........but this overrides the implicit rule that allows  all traffic to the outside (lower security) interface and now all  traffic is blocked.

If I add...........

access-list inside_access_in extended permit ip host any any I am blocking only the one IP address but I have  overridden the 'deny any any' rule that stops traffic flowing to a  higher security interface.

How can I block a single address or subnet from the DMZ to the outside without permitting DMZ access to the inside?

Thanks for any help.

4 Replies 4

Cisco Employee
Cisco Employee

Hi Gavin,

The simplest way to do this is to put an explicit deny statement with a destination of your inside subnet inbound on the DMZ interface. For example, if your inside subnet is, the ACL on the DMZ interface would look like this:

access-list dmz_access_in deny ip host any
access-list dmz_access_in deny ip any
access-list dmz_access_in permit ip any any
access-group dmz_access_in in interface dmz

The above ACL would prevent from getting to the outside, stop all hosts from accessing the inside subnet, and still allow all remaining access to the outside.

You could also do it using an outbound ACL on the inside interface, but this is much less commonly used. The ACL would look like this, which would deny any traffic from leaving the ASA on the inside interface that was sourced from a DMZ host, but allow all other traffic:

access-list inside_access_out deny ip any
access-list inside_access_out permit ip any any
access-group inside_access_out out interface inside

More information about the ACL configurations can be found here:

Hope that helps.


Thanks Mike,

It all makes perfect sense when someone else says it!

I found it confusing that once I had added my own ACL the implicit rules are overridden and in order to keep traffic flowing I had to add

permit ip any any

which seems contradictory to the implicit rule

deny ip any any

The outbound acl is interesting, must admit I have never seen that before. Can you still only have one acl per interface, either inbound or outbound or can you have one of each?



Hi Gavin,

You can have both inbound and outbound ACLs applied to the same interface. In most scenarios though, inbound ACLs are enough to acheive what you want to do.

Hope that helps.


Cisco Employee
Cisco Employee

Removing duplicate post.

Message was edited by: mirober2

Review Cisco Networking products for a $25 gift card