The intent is to allow 10.223.x.x hosts restrited access to only those hosts listed under acl-150. Hosts on th LAN segment will never initiate connections to 10.233.x.x. When I apply access-group 150 in on the WAN (10.233.0.7) interface - acl-150 as defined blocks all traffic in either direction - even if I source ping 10.233.x.x from the WAN (10.233.x.x) interface. When I remove the access-group - traffic flows in both dirctions, but obviously there are no rstrictions in place per acl-150. Thanks for your help.

Sorry, I thought maybe your 10.223.0.0/24 subnet was the source subnet.

The access list entries are exclusively allowing source subnet 10.223.0.0/24, which means any other subnet mask would not be allowed. Is the subnet mask on the router a /24?

Sorry again, I thought 10.233.0.0 might be the DESTINATION subnet, not the source subnet. However, I am still wondering about the subnet mask. Are you possibly expecting the 10.233.0.0/16 to be allowed through?

No. 10.223.x.x/24 is the source subnet - that won't change. I just need to restrict their access to only the IPs listed in acl-150 - block all other access. but when I apply the 'access-group 150 in' on the source interface (10.223.0.7) traffic is blocked in both directions. Either acl-150 is defined incorrectly or it's being applied on the wrong interface or wrong dirction - or a combination of the above. Thanks.

The access list is specifying that you have devices with host addresses in the 10.233.0.0/24 range that are on the WAN side of your router. They need access to the destination hosts specified in your access list. The traffic originates on the side of the WAN interface, comes through the WAN interface on the router to those specific destination hosts, which I assume are on internal LANs.

Do you have a diagram of your setup and/or a sanitized configuration of the router?

Thanks for all of your help. I just needed to add either of the two rules below:

access-list 150 permit ip 10.233.0.0 0.0.0.255 host 10.233.0.7

or two restrict it down to icmp only:

access-list 150 permit icmp any any

just before the access-list 150 deny any any

works like a charm. Thanks again.

The first additional rule allows your clients on 10.233.0.0/24 to reach the WAN interface on your router, which you had indicated was not reachable.

The second rule accomplishes the same objective, allowing pings to your router's WAN interface.

For what it's worth, you may want to consider not using the ICMP filter since it opens up your internal network to all types of ICMP traffic from any source, which could have security ramifications. If you don't need to ping anything except the specific internal hosts and your router's WAN interface I would just add the first rule.

I removed icmp rule and added back the first rule. Thank for all your help.