Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Using ACL to block access to other internal networks

I have a Cisco 1900 router configured with 3 subinterfaces. I want one subinterface to only access the internet and not the other 2 interfaces. When I use access-group 130 in on the interface my users don't even get a DHCP lease, when I use access-group 130 out my clients can't reach any network. Any ideas on when I'm overlooking?

interface GigabitEthernet0/0.3

encapsulation dot1Q 240

ip address 192.168.240.1 255.255.255.0

ip access-group 130 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

no cdp enable

!

access-list 130 deny   ip any 192.168.20.0 0.0.0.255

access-list 130 deny   ip any 192.168.33.0 0.0.0.255

access-list 130 permit ip 192.168.240.0 0.0.0.255 any

Any help is much appreciated.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Using ACL to block access to other internal networks

Apply this inbound as you have in the example.  Add the following to account for a DHCP request.  Remember the client doesn't have an IP address when it sends a DHCP request, so it won't match the 192.168.240.0/24 permit any line.

access-list 130 permit udp any any eq 67

If your DHCP server is in 192.168.20.0/24 or 192.168.33.0/24 then this line must occur at the beginning of the ACL.


Chris

3 REPLIES
Silver

Re: Using ACL to block access to other internal networks

Apply this inbound as you have in the example.  Add the following to account for a DHCP request.  Remember the client doesn't have an IP address when it sends a DHCP request, so it won't match the 192.168.240.0/24 permit any line.

access-list 130 permit udp any any eq 67

If your DHCP server is in 192.168.20.0/24 or 192.168.33.0/24 then this line must occur at the beginning of the ACL.


Chris

Re: Using ACL to block access to other internal networks

Thanks Chris, that worked flawlessly!

Re: Using ACL to block access to other internal networks

You should use "access-group 130 in" based on your description.

Where is your dhcp server? You can change acl 130 as following and then check the log to see what is denied for DHCP. Then enable it accordingly.

access-list 130 deny   ip any 192.168.20.0 0.0.0.255

access-list 130 deny   ip any 192.168.33.0 0.0.0.255

access-list 130 permit ip 192.168.240.0 0.0.0.255 any

access-list 130 deny any any log

3332
Views
0
Helpful
3
Replies
CreatePlease login to create content