Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Adding ACL's to Router on a stick

I have router on a stick configured for voice vlan, data vlan, and wifi vlan.  The wifi is a cisco AP and has 2 ssids one for internal users which use the data vlan and the other for guest vlan.  We do not want anyone on the guest vlan to be able to access the company network only the internet.  Without any ACL's apply the users on the guest network can access the network but they can ping the server and anyone on the company network. 

I tried to add ACL's on the router so while it drops traffic to the 192.168.2.0 network it doesn't get out to the internet.  I tried different combinations but now at this point I'm just confusing myself.  I figured I just deny traffic from the 192.168.3.0 network to access the server located at .250 and apply it inbound at the the f0/0.51 but the users don't connect to the wifi then.

 

The router is a 2811 which is running dhcp for the voice and guest wifi vlan.  It forwards outside traffic to the asa 5505 which sits on the edge of the network.

 

ASA 192.168.2.251/24

Router IP's are 192.168.2.1 and 192.168.3.1

Router data vlan 192.168.2.0/24

Router guest wifi vlan 192.168.3.0/24

 

 

interface FastEthernet0/0.51

description $GUEST_WIFI$

encapsulation dot1Q 51

ip address 192.168.3.1 255.255.255.0

ip access-group 100 in

end

interface FastEthernet0/0.50

description $DATA_NETWORK$

encapsulation dot1Q 50

ip address 192.168.2.1 255.255.255.0

ip helper-address 192.168.2.250

end

 

access-list 100 deny ip 192.168.3.0 0.0.0.255 host 192.168.2.250

access-list 100 permit ip 192.168.3.0 0.0.0.255 ANY

168
Views
0
Helpful
0
Replies