Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
814
Views
10
Helpful
5
Replies

Question about ACL

Go to solution
JohnyJo123
Level 1
Level 1

‎10-26-2022 05:54 PM

Hi community i have questions about how to use ACL !

I have this network

JohnyJo123_0-1666831734680.png

the network on vlan 10 is 10.1.1.0

and vlan 20 is 10.1.2.0

I need to set up a ACL to block access computers in the VLAN 10 the condition is : VLAN 10 can access to intranet but cannot access to internet

Here what i got :

ACL :

deny tcp 10.1.1.0 any eq 80

deny tcp 10.1.1.0 any eq 443

and after that i will put the access-list to my interfaces poiting inside with nat inside and the interface pointing outside with nat outside

Whats do you think ?

Thanks you

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-27-2022 05:44 PM

example config help you to get an idea, only add VLAN20 IP to NAT, so VLAN 10 will dropped and not natted. so no internet for VLAN 10.

 

configure t
!
ip routing
!
interface Gig0/0
ip addresss x.x.x.x 255.255.255.0
ip nat outside
!
interface Gig0/1
ip addresss y.y.y.y 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 x.x.x.X (external ISP IP)
!
access-list 100 permit ip 10.1.2.0 0.0.0.255 any
ip nat inside source list 100 interface Gig0/0 overload
!

Some config may change if you have VLAN SVI, so adjust the config accordingly.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-27-2022 05:44 PM

example config help you to get an idea, only add VLAN20 IP to NAT, so VLAN 10 will dropped and not natted. so no internet for VLAN 10.

 

configure t
!
ip routing
!
interface Gig0/0
ip addresss x.x.x.x 255.255.255.0
ip nat outside
!
interface Gig0/1
ip addresss y.y.y.y 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 x.x.x.X (external ISP IP)
!
access-list 100 permit ip 10.1.2.0 0.0.0.255 any
ip nat inside source list 100 interface Gig0/0 overload
!

Some config may change if you have VLAN SVI, so adjust the config accordingly.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
JohnyJo123
Level 1
Level 1

‎10-28-2022 12:56 PM

Thank you ! I appreciate it

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to JohnyJo123

‎10-28-2022 01:38 PM

most welcome, is that suggestion works for you ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
JohnyJo123
Level 1
Level 1

‎10-28-2022 01:54 PM

Yes it does !

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to JohnyJo123

‎10-28-2022 01:56 PM

glad all working as expected and we mark it as a solution now.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card