Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Block access from other subnets 2921 router

Good day,

I have a 2921 router...

I got many subnets on network.. What I want to do is block access to one of my networks and allow all other subnets to browse the web.

I have;

192.168.4.0/24

10.20.50.0/24

10.20.40.0/24

10.20.30.0/24

10.20.60.0/24

I want to block access to 10.20.60.0 from all other networks while allowing them to access the internet

Everyone's tags (2)
16 REPLIES

Block access from other subnets 2921 router

We may need more information. Are you wanting to do this on the router? Is the router split out into subinterfaces or are all of these subnets on one interface? Are these subnets on the lan or wan side? Do you have a L3 switch?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Block access from other subnets 2921 router

My first question is, do you have any webapps that users use? Or would any site they visit be on the Internet?

The reason why I ask, is this could be done pretty quick.

Also, how are the interfaces laid out? Do you have a single inside LAN interface and an outside WAN interface?

Hall of Fame Super Blue

Re: Block access from other subnets 2921 router

John's

Have to nip out but it is subinterfaces on the LAN interface of the 2921 for each subnet.

No L3 switch inter vlan routing. 2921 connected to internal L2 switch on LAN and WAN interface connects to ASA inside interface.

Over to you

Jon

Re: Block access from other subnets 2921 router

Lol! What? How did you get all of that from this post??

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Block access from other subnets 2921 router

Jon,

This is a John only thread, please remove yourself. We don't need and "Jons".

Block access from other subnets 2921 router

There are a lot of John's here

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Hall of Fame Super Blue

Re: Block access from other subnets 2921 router

John

This is a John only thread, please remove yourself. We don't need and "Jons".

Message received and understood. I'll just quietly disappear.... 

Jon

Hall of Fame Super Blue

Re: Block access from other subnets 2921 router

Lol! What? How did you get all of that from this post??

I thought it was pretty obvious myself

I helped Roger reconfigure his network in a a couple of rather long posts a while back so i remember it.  Come to think of it not sure about the 192.168.4.0/24 network being a subinterface so i'll check one of the posts.

Jon

Block access from other subnets 2921 router

If what "Jon" said is correct you could do something like the following.

ip access-list extended VLAN20_ACL

deny ip 10.20.50.0 0.0.0.255 10.20.60.0 0.0.0.255

permit ip any any

ip access-list extended VLAN20_ACL

deny ip 10.20.40.0 0.0.0.255 10.20.60.0 0.0.0.255

permit ip any any

ip access-list extended VLAN20_ACL

deny ip 10.20.30.0 0.0.0.255 10.20.60.0 0.0.0.255

permit ip any any

ip access-list extended VLAN20_ACL

deny ip 192.168.4.0 0.0.0.255 10.20.60.0 0.0.0.255

permit ip any any

int vlan 20

  access-group in VLAN20_ACL

int vlan 30

  access-group in VLAN30_ACL

Now technically, 10.20.60.0/24 could still get to the other subnets, but the return traffic would be blocked.

And you could always change the permit ip any any to just HTTP traffic, etc. Depends on what you want to do.

Although it might be a better idea to configure ACLs on the firewall. It would be easier to manage that way. If traffic has to go up to the ASA to get back to the other subnets.

Re: Block access from other subnets 2921 router

sorry to interupt johns,

but I would use VRF-lite feature here, just put subnet 10.20.60.0/24 into vrf and you don't have tu maintain numbers of ACLs.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
Hall of Fame Super Blue

Block access from other subnets 2921 router

Okay, here is a link to the network layout although it is not as i remember it (ie. it is't showing most of the subnets mentioned) so probably best to wait on Roger to confirm where the subnets actually are -

https://supportforums.cisco.com/thread/2264234

apologies if i confused the issue.

Jon

Re: Block access from other subnets 2921 router

Thanks for that Jon You cleared the issue up, and it looks like John Tyler has given a correct answer. Technically this should be all that's needed.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Hall of Fame Super Blue

Re: Block access from other subnets 2921 router

Think i just managed to confuse the issue.

The idea was i needed to do something else and if there were multiple posts i might not be around to reply so i just wanted to help get a quicker response for Roger.

Looking at the diagram it looks more complex because i don't think all the subnets are on the router so an acl applied outbound to the 10.20.60.x vlan/IP subnet might be easier although it's hard to say without more details.

Jon

New Member

Block access from other subnets 2921 router

WOW... I stepped out to lunch and got all of this  lol.. thanks for the help...  Let me take a good look at those acls...

New Member

Block access from other subnets 2921 router

Just one question, why did you call int Vlan_20? My data network is vlan 10, vlan 20 is ip telephony..

Block access from other subnets 2921 router

It was probably a typo.

946
Views
0
Helpful
16
Replies