Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
495
Views
1
Helpful
6
Replies

Acl configuration help for a beginner

Derek Endale
Level 1
Level 1

‎01-20-2025 10:38 PM

Ensure the web server can only access the internet and not other subnets using ACL. Place the web server in a DMZ.

 

I have 3 vlans connected to subinterfaces, the DMZ is in vlan 40 im trying to restrict it from accessing the other networks in vlan 10 and 20, on 192.168.10.x and 192.168.20.x but i still want the DMZ in 192.168.40.x to access the internet how would i configure this with ACLs? Subinterfaces are 0.0.0/10 - 0.0.0/20 - 0.0.0./40

Labels:
0 Helpful
6 Replies 6

Flavio Miranda
VIP
VIP

‎01-20-2025 10:53 PM - edited ‎01-20-2025 10:53 PM

@Derek Endale 

Deny vlan 10 and 20, permit everything else

ip access-list extended DMZ
deny ip 192.168.10.0 0.0.0.255  any
deny ip 192.168.20.0 0.0.0.255 any 
permit ip any any

Apply the ACL on subinterface  0.0.0./40

0 Helpful

Derek Endale
Level 1
Level 1
In response to Flavio Miranda

‎01-20-2025 11:04 PM

It seems like i can still ping from vlan 40 to the other vlans like 192.168.10.x computers and 192.168.20.x computers.

0 Helpful

Flavio Miranda
VIP
VIP
In response to Derek Endale

‎01-20-2025 11:10 PM

@Derek Endale 

How did you apply?

Is It a PacketTracer? Can I see the project?

0 Helpful

Derek Endale
Level 1
Level 1
In response to Flavio Miranda

‎01-20-2025 11:19 PM

ip access-list extended DMZ-Day4

deny ip 192.168.10.0 0.0.0.255 any

deny ip 192.168.20.0 0.0.0.255 any

permit ip any any

I applied it on int g0/0/0.40 with ip access-group DMZ-Day4 in

 

 

 

interface GigabitEthernet0/0/0.10

encapsulation dot1Q 10

ip address 192.168.10.1 255.255.255.0

ip access-group 140 in

!

interface GigabitEthernet0/0/0.20

encapsulation dot1Q 20

ip address 192.168.20.1 255.255.255.0

!

interface GigabitEthernet0/0/0.40

encapsulation dot1Q 40

ip address 192.168.40.1 255.255.255.0

ip access-group DMZ-Day4 in

ACL.png

0 Helpful

Flavio Miranda
VIP
VIP
In response to Derek Endale

‎01-20-2025 11:21 PM

@Derek Endale

Apply in OUT direction

Or apply in IN but on internet 10 and 20.

 

paul driver
VIP
VIP

‎01-20-2025 11:30 PM

Hello
try-

ip access-list extended DMZ-Day4
deny ip  any 192.168.10.0 0.0.0.255  
deny ip  any 192.168.20.0 0.0.0.255 
permit ip any any

interface GigabitEthernet0/0/0.40
encapsulation dot1Q 40
ip access-group DMZ-Day4  IN

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents