Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Configuring Vlan for Internet access only

If I want to configure an vlan to have access to the Internet only would I write an ACL to permit only access to the internal Ip of the firewall or the network address of the Internet vlan.

  • Other Network Infrastructure Subjects
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Configuring Vlan for Internet access only

What you configure depends where you apply the acl. In general if it's Internet only (ie, not your internal net) then your acl would deny your internal subnets and permit all else (ie, Internet). An acl for just the fw will limit access the firewall ip only (ie nowhere else)

For example

PC----rtr---fw---Internet

|

other vlans

PC is 172.16.1.2/24 (on the vlan by itself)

other vlan is subnet 172.16.2.0/24

To permit PC to access Internet only

access-list 101 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 102 permit ip any any

apply 101 to pc vlan int on rtr inbound

apply 102 outbound on rtr int to pc vlan.

other vlan won't be able reach PC and vice versa. PC can reach Internet.

New Member

Re: Configuring Vlan for Internet access only

I think you are right

3 REPLIES
Cisco Employee

Re: Configuring Vlan for Internet access only

What you configure depends where you apply the acl. In general if it's Internet only (ie, not your internal net) then your acl would deny your internal subnets and permit all else (ie, Internet). An acl for just the fw will limit access the firewall ip only (ie nowhere else)

For example

PC----rtr---fw---Internet

|

other vlans

PC is 172.16.1.2/24 (on the vlan by itself)

other vlan is subnet 172.16.2.0/24

To permit PC to access Internet only

access-list 101 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 102 permit ip any any

apply 101 to pc vlan int on rtr inbound

apply 102 outbound on rtr int to pc vlan.

other vlan won't be able reach PC and vice versa. PC can reach Internet.

New Member

Re: Configuring Vlan for Internet access only

Shouldn't that be the following, to permit only that PC?

access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

access-list 101 deny ip any any

access-list 102 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 102 deny ip any any

New Member

Re: Configuring Vlan for Internet access only

I think you are right

407
Views
0
Helpful
3
Replies