Lol! What? How did you get all of that from this post??

HTH,
John

*** Please rate all useful posts ***

Jon,

This is a John only thread, please remove yourself. We don't need and "Jons".

There are a lot of John's here

HTH,
John

*** Please rate all useful posts ***

John

This is a John only thread, please remove yourself. We don't need and "Jons".

Message received and understood. I'll just quietly disappear.... 

Jon

Lol! What? How did you get all of that from this post??

I thought it was pretty obvious myself

I helped Roger reconfigure his network in a a couple of rather long posts a while back so i remember it.  Come to think of it not sure about the 192.168.4.0/24 network being a subinterface so i'll check one of the posts.

Jon

If what "Jon" said is correct you could do something like the following.

ip access-list extended VLAN20_ACL

deny ip 10.20.50.0 0.0.0.255 10.20.60.0 0.0.0.255

permit ip any any

ip access-list extended VLAN20_ACL

deny ip 10.20.40.0 0.0.0.255 10.20.60.0 0.0.0.255

permit ip any any

ip access-list extended VLAN20_ACL

deny ip 10.20.30.0 0.0.0.255 10.20.60.0 0.0.0.255

permit ip any any

ip access-list extended VLAN20_ACL

deny ip 192.168.4.0 0.0.0.255 10.20.60.0 0.0.0.255

permit ip any any

int vlan 20

  access-group in VLAN20_ACL

int vlan 30

  access-group in VLAN30_ACL

Now technically, 10.20.60.0/24 could still get to the other subnets, but the return traffic would be blocked.

And you could always change the permit ip any any to just HTTP traffic, etc. Depends on what you want to do.

Although it might be a better idea to configure ACLs on the firewall. It would be easier to manage that way. If traffic has to go up to the ASA to get back to the other subnets.

sorry to interupt johns,

but I would use VRF-lite feature here, just put subnet 10.20.60.0/24 into vrf and you don't have tu maintain numbers of ACLs.

Best Regards

Please rate all helpful posts and close solved questions

Thanks for that Jon You cleared the issue up, and it looks like John Tyler has given a correct answer. Technically this should be all that's needed.

HTH,
John

*** Please rate all useful posts ***

Think i just managed to confuse the issue.

The idea was i needed to do something else and if there were multiple posts i might not be around to reply so i just wanted to help get a quicker response for Roger.

Looking at the diagram it looks more complex because i don't think all the subnets are on the router so an acl applied outbound to the 10.20.60.x vlan/IP subnet might be easier although it's hard to say without more details.

Jon

WOW... I stepped out to lunch and got all of this  lol.. thanks for the help...  Let me take a good look at those acls...