12-15-2010 10:14 AM - edited 03-11-2019 12:22 PM
I seem to be having a problem wrapping my head around what is going on or what to do.
What I have is two subinterfaces:
interface FastEthernet0/1.1
encapsulation dot1Q 10
ip address 10.10.2.254 255.255.255.0
ip access-group vlan10_in in
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 20
ip address 10.10.3.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
Now what I am trying to do is block the 10.10.3.x network from accessing the 10.10.2.x network BUT I want the 10.10.2.x network to be able to access the 10.10.3.x network.
The access list I setup is:
Extended IP access list vlan10_in
10 deny ip 10.10.2.0 0.0.0.255 10.10.3.0 0.0.0.255 log (7 matches)
20 permit ip any any log
Now I setup logging to try to understand this better. When I try to PING from 10.10.3.x to 10.10.2.x I get:
*Dec 15 18:30:34.553: %SEC-6-IPACCESSLOGDP: list vlan10_in denied icmp 10.10.2.100 -> 10.10.3.100 (0/0), 1 packet
But when I try from 10.10.2.x PING 10.10.3.x I get nothing. The ping actually shows a "Destination net unreachable".
I know my logic is wrong because its not working.. but I'm trying to understand this better.
Without this access-list/group everything works fine. Both networks can get to the NET and see each other.
Solved! Go to Solution.
12-15-2010 02:51 PM
12-15-2010 01:05 PM
Yes, your logic is incorrect.
The regular ACL could not fit your requirement.
You have to use IOS firewall feature to realize this.
Here is an example.
12-15-2010 01:32 PM
I don't have rights to your link
12-15-2010 02:27 PM
Here is another one
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
I hope it helps.
PK
12-15-2010 02:51 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide