cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
608
Views
0
Helpful
3
Replies

ACL Between 2851 and Consumer Netgear

Jeff
Level 1
Level 1

Hello All,

I have a very elementary ACL question, but for the life of me I can not get it to work.  My home lab scenario is this;

I have a specific computer (SERVER A) on my 192.168.20.x network, and I do not want it to be able to access the Internet, which is accessible through my consumer Netgear router at 192.168.0.1.  In between the 192.168.20.x network and the 192.168.0.x network is a Cisco 2851. The 2851 has the default static route set to 192.168.0.1, the address of the Netgear router. However, both networks need to be able to communicate with the server internally.  Below is a sketch of the network. 

SERVER A -------- (INT GI0/1 ------INT GI0/0) ----------------(NETGEAR ROUTER 192.168.0.1)-----------INTERNET

                                   2851 ROUTER

   deny tcp host 192.168.20.20 host 192.168.0.1

   deny ip host 192.168.20.20 host 192.168.0.1

   permit ip any any

I figured I probably needed to apply it to the gi0/0 interface since the routing process would be sending it out that interface, however neither direction is blocking the attempt to access the Internet. 

Any suggestions is greatly appreciated.

1 Accepted Solution

Accepted Solutions

cadet alain
VIP Alumni
VIP Alumni

HI,

ip access-list extended NO-INTERNET

permit ip  192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255

deny ip host 192.168.20.20 any

permit ip any any

int g0/1

ip access-group NO-INTERNET in

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

3 Replies 3

kcnajaf
Level 7
Level 7

Hi Jeffrey,

The default gateway address on the server/PC is the ip address on the interface Gi0/1..right?

If that is the case try applying above ACL on Gi0/1 in inbound direction.

Hope that helps.

Regards

Najaf

Please rate when applicable or helpful !!!

cadet alain
VIP Alumni
VIP Alumni

HI,

ip access-list extended NO-INTERNET

permit ip  192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255

deny ip host 192.168.20.20 any

permit ip any any

int g0/1

ip access-group NO-INTERNET in

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks guys, Cadet Alain's config did the trick. 

Review Cisco Networking for a $25 gift card