Michael,

If I understand you correctly, you are trying to block users on other subnets from getting to a specific host that is on the same LAN that your router's interface Ethernet0 is connected to; but you want to permit all other types of TCP/IP traffic to pass. Is this correct?

If so, let's assume that the web server you want to protect has IP address 209.187.xxx.50, and that is the only system you are trying to protect. Let's also assume that everybody on the same LAN with IP addresses in your secondary address ranges is to be permitted access to this host. Then your access-list 101 should look something like this:

access-list 101 permit ip 209.187.xxx.128 0.0.0.127 host 209.187.xxx.50

access-list 101 permit ip 63.127.xxx.192 0.0.0.63 host 209.187.xxx.50

access-list 101 permit ip 206.152.xxx.0 0.0.0.63 host 209.187.xxx.50

access-list 101 deny ip any host 209.187.xxx.50 log

access-list 101 permit ip any any

The first three lines explicitly permit users with addresses on your secondary IP subnets to have access through the Ethernet0 interface (their traffic comes into the interface, then does a hair-pin turn right back out the same interface). I left out a line permitting users of the 209.187.xxx.0/255.255.255.128 subnet because their traffic will not be routed to the 209.187.xxx.50 host since they are on the same subnet.

Now that I have granted the exceptions, the next line denies the rest of the world the ability to access the .50 host using TCP, UDP, or ICMP protocols through that Ethernet interface, and log any attempts to even try it. (Logging is useful to see who's trying to get access to a restricted resource.)

Finally, I permit all other IP traffic to pass unrestricted out the router's Ethernet0 interface. If I do not do this, then the implicit "deny ip any any" that follows the last explicit access-list command in any ip extended access-list would block ALL other IP traffic. This may be what you ran into.

The above access-list handles permitting or denying of access at the IP address level. If you wanted to get more granular, you could permit or deny specific ports within a given IP address. So for instance, you could restrict access to an HTTP web server (TCP port 80), but allow access to an FTP server (TCP port 21), on the same machine. To get specific to the port level, you would follow the "host 209.187.xxx.50" with "eq 80" or "eq www" in the above access-list commands; and change the "permit ip" or "deny ip" commands on those same lines to "permit tcp" or "deny tcp" to control access to just the web server service on that machine.

Hope this helps.

Thank you for your help!

What I am trying to do is keep users on our network from going to -one- web site which is outside of our network. This is what I have tried.

!

interface Ethernet0

description To Office Ethernet

ip address 209.187.xxx.129 255.255.255.128 secondary

ip address 63.127.xxx.193 255.255.255.192 secondary

ip address 206.152.xxx.1 255.255.255.192 secondary

ip address 209.187.xxx.1 255.255.255.128

ip access-group 101 out

!

ip default-gateway 199.105.xxx.62

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0

access-list 101 permit ip 209.187.xxx.128 0.0.0.127 host 216.22.xxx.192

access-list 101 permit ip 63.127.xxx.192 0.0.0.63 host 216.22.xxx.192

access-list 101 permit ip 206.152.xxx.0 0.0.0.63 host 216.22.xxx.192

access-list 101 deny ip any host 216.22.xxx.192

access-list 101 permit ip any any

no cdp run

!

THIS WOULD ALLOW ALL WEB PAGES TO BE VISITED (including) the one to be denied (216.22.xxx.192

{Extended IP access list 101

permit ip 209.187.xxx.128 0.0.0.127 host 216.22.xxx.192

permit ip 63.127.xxx.192 0.0.0.63 host 216.22.xxx.192

permit ip 206.152.xxx.0 0.0.0.63 host 216.22.xxx.192

deny ip any host 216.22.xxx.192

permit ip any any (16828 matches)}

Then I tried :

ip default-gateway 199.105.xxx.62

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0

access-list 101 permit tcp 209.187.xxx.128 0.0.0.127 host 216.22.xxx.192 eq www

access-list 101 permit tcp 63.127.xxx.192 0.0.0.63 host 216.22.xxx.192 eq www

access-list 101 permit tcp 206.152.xxx.0 0.0.0.63 host 216.22.xxx.192 eq www

access-list 101 deny tcp any host 216.22.xxx.192 eq www

access-list 101 permit tcp any any eq www

no cdp run

!

THIS WOULD NOT LET OUR MACHINES ACCESS (any) WEB PAGES.

Any thoughts?

Thank you - Michael

I misunderstood what you were trying to block, and where it was located. Your last post makes it clearer.

If you are trying to block users in the four IP subnets on your Ethernet0 interface from going out the Serial0 interface of your router to the web site at 216.22.xxx.192, but you want to permit your LAN users to go anywhere else on the Internet, then you might find it easier to block traffic from the LAN as it heads IN to the router from the LAN.

Delete the "ip access-group 101 out" command from your Ethernet0 interface, and add the following access-list 102 commands:

access-list 102 deny tcp any host 216.22.xxx.192 eq www log

access-list 102 permit ip any any

The first line denies traffic from any source IP address on your LAN from reaching the HTTP web server at destination IP address 216.22.xxx.192, and logs any attempts to try reaching that host.

The second line permits all other IP traffic. That includes both traffic outbound to the Internet, as well as traffic hair-pinning from one subnet on Ethernet0 to another, different subnet also on Ethernet0. This will also keep the implicit "deny ip any any" command from ever coming into play.

Follow these "access-list 102" commands up by applying them to your interface Ethernet0:

interface Ethernet0

ip access-group 102 in

This will keep users on your network from going to the one web site which is outside of your network.

A W E S O M E !!!!!

That worked! You have been more than helpful -- Thank you

Michael