Re: Access-list problem

nawas · ‎05-09-2006

I need to restrict the access of a vlan so only certain IPs can access machines in that vlan but at the same time I want this vlan to talk to the whole world.I have used the following access-list scenario and it works in a sense that only IPs specified in the access-list are able to talk to this vlan but at the same time machines in this this vlan don't talk to anything else even what is specified int he access-list (my traceroute and ping fails)

access-list 132 permit tcp any any established

access-list 132 permit ip 10.1.21.0 0.0.0.255 10.12.244.0 0.0.1.255

access-list 132 permit ip 10.1.22.0 0.0.0.255 10.12.244.0 0.0.1.255

access-list 132 permit ip 10.0.0.0 0.0.255.255 10.12.244.0 0.0.1.255

access-list 132 permit ip 10.5.80.0 0.0.7.255 10.12.244.0 0.0.1.255

access-list 132 permit icmp any 10.12.244.0 0.0.1.255 echo-reply

Interface vlan xxx

ip access-group 132 out

dsoderstrom · ‎05-09-2006

I would suggest that you apply ACLs to the incomming interfaces of each subnet.

BR

Daniel

nawas · ‎05-09-2006

Dan

That is not possible because subnet 10.1.21 or 10.1.22 or 10.0.0.0/16 are not local to 10.12.244.x

dsoderstrom · ‎05-09-2006

try to add the line

access-list 132 permit ip 10.12.244.0 0.0.1.255 any

to your ACL

BR

Daniel

bigchoice75 · ‎05-10-2006

perhaps you can put deny statements at the top of your acl if you know which networks you need to block.

bigchoice75 · ‎05-10-2006

perhaps you can put deny statements at the top of your acl if you know which networks you need to block.

bigchoice75 · ‎05-10-2006

perhaps you can put deny statements at the top of your acl if you know which networks you need to block.