I provide dial-up access to users in the field through a 2811 router on my network. I need to create an access-list that severely limits access to my LAN but still allows them to get to my firewall and out to the world to access the Internet.

I have 4 internal networks they should not be able to access:

192.168.200.0/21

192.168.16.0/21

192.168.100.0/24

10.10.0.0/16

One internal network they should be able to access:

192.168.0.0/24

This is the current access-list I have in place (it is applied to my f0/0 LAN interface of the router outbound) but it is not working correctly:

permit tcp 192.168.216.0 0.0.0.225 host 192.168.200.210

permit tcp 192.168.216.0 0.0.0.255 192.168.0.0 0.0.0.255

permit tcp 192.168.216.0 0.0.0.255 host 192.168.200.21 eq 53

permit udp 192.168.216.0 0.0.0.255 host 192.168.200.21 eq 53

permit tcp 192.168.216.0 0.0.0.255 host 192.168.200.7 eq 53

permit udp 192.168.216.0 0.0.0.255 host 192.168.200.7 eq 53

permit icmp any any echo-reply

deny tcp 192.168.216.0 0.0.0.255 192.168.200.0 0.0.7.255

deny tcp 192.168.216.0 0.0.0.255 192.168.16.0 0.0.7.255

deny tcp 192.168.216.0 0.0.0.255 192.168.100.0 0.0.0.255

deny tcp 192.168.216.0 0.0.0.255 10.10.0.0 0.0.255.255

permit ip any any

I am not able to access websites that I have in the 192.168.0.0/24 network, but I can hit websites on the internet. The dial-in users are using my internal DNS servers and when I do an NSLookup for websites in my 192.168.0.0/24 subnet it comes back with the correct IP address so I know it can see it but it can't get there.

Any help is appreciated.