cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
507
Views
0
Helpful
6
Replies

Access-list problem

nawas
Level 4
Level 4

I need to restrict the access of a vlan so only certain IPs can access machines in that vlan but at the same time I want this vlan to talk to the whole world.I have used the following access-list scenario and it works in a sense that only IPs specified in the access-list are able to talk to this vlan but at the same time machines in this this vlan don't talk to anything else even what is specified int he access-list (my traceroute and ping fails)

access-list 132 permit tcp any any established

access-list 132 permit ip 10.1.21.0 0.0.0.255 10.12.244.0 0.0.1.255

access-list 132 permit ip 10.1.22.0 0.0.0.255 10.12.244.0 0.0.1.255

access-list 132 permit ip 10.0.0.0 0.0.255.255 10.12.244.0 0.0.1.255

access-list 132 permit ip 10.5.80.0 0.0.7.255 10.12.244.0 0.0.1.255

access-list 132 permit icmp any 10.12.244.0 0.0.1.255 echo-reply

Interface vlan xxx

ip access-group 132 out

6 Replies 6

dsoderstrom
Level 1
Level 1

I would suggest that you apply ACLs to the incomming interfaces of each subnet.

BR

Daniel

Dan

That is not possible because subnet 10.1.21 or 10.1.22 or 10.0.0.0/16 are not local to 10.12.244.x

try to add the line

access-list 132 permit ip 10.12.244.0 0.0.1.255 any

to your ACL

BR

Daniel

bigchoice75
Level 1
Level 1

perhaps you can put deny statements at the top of your acl if you know which networks you need to block.

bigchoice75
Level 1
Level 1

perhaps you can put deny statements at the top of your acl if you know which networks you need to block.

bigchoice75
Level 1
Level 1

perhaps you can put deny statements at the top of your acl if you know which networks you need to block.

Review Cisco Networking for a $25 gift card