Solved: Sub interfaces ACL

am.steen · ‎12-23-2018

I have a server at 10.30.2.200 on vlan2 which access internet on 10.30.2.252 but

1. I need to block it from access local network 10.30.2.0 only internet.
2. Also I need to access this server from my pc at 10.30.7.250 on vlan7
I am not good in cisco ACL so Please help

My router is 1941 and my setting is :

redundancy

bridge irb

interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description *** WAN-Interface-WLPTP
ip address x.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex full
speed auto
!
interface wlan-ap0
ip unnumbered BVI1
arp timeout 0
no mop enabled
no mop sysid
!
interface GigabitEthernet0/1
no ip address
ip nat inside
no ip virtual-reassembly in
duplex auto
speed auto
bridge-group 1
!
interface GigabitEthernet0/1.2
description Vlan Wserver
encapsulation dot1Q 2
ip address 10.30.2.252 255.255.255.0
ip nat inside
no ip virtual-reassembly in
!
interface GigabitEthernet0/1.7
description Vlan Managment
encapsulation dot1Q 7
ip address 10.30.7.225 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Wlan-GigabitEthernet0/0
switchport mode trunk
no ip address
!
interface Vlan1
no ip address
bridge-group 1

!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool NAT x.x.x.x x.x.x.x netmask 255.255.255.248
ip nat inside source list 102 pool NAT overload

ip route 0.0.0.0 0.0.0.0 10.21.x.x
ip route 192.168.1.0 255.255.255.0 10.30.7.60

access-list 102 permit ip 10.30.2.0 0.0.0.255 any
access-list 102 permit ip 10.30.7.0 0.0.0.255 any

control-plane
!
bridge 1 protocol ieee
bridge 1 route ip

Richard Burts · ‎12-26-2018

We have had several different versions of what you want to accomplish. There was this one

I need the server to access the internet on 10.30.2.252 and block access to the network 10.30.7.0

Except My PC at 10.30.7.250 it should access the server

and there is this one

So I need that network 10.30.2.0 should have internet and block everything else

on network 10.30.7.0 Except My PC at 10.30.7.250

The changes suggested by Deepak should accomplish the first requirement. Also your version of LAN-Server-Block applied on the vlan 2 sub interface should have accomplished that. I am puzzled that you seem to indicate that neither approach worked.

If you really want the second requirement then you need to modify your ACL to look something like this

IP access-list ext LAN-Server-Block
5 permit ip host 10.30.2.200 host 10.30.7.250
10 deny ip 10.30.2.0 0.0.0.255 10.30.7.0 0.0.0.255
20 permit ip any any

and apply it in on gi0/1.2

HTH

Rick

HTH

Rick

View solution in original post

am.steen · ‎12-26-2018

Mr. Richard

It Works like charm you save me.

Many thanks to you and others who helps me

View solution in original post

Deepak Kumar · ‎12-23-2018

Hi,

I have some doubt.

Q::

. I need to block it from access local network 10.30.2.0 only internet.

What is your local subnet, which you want to block? and what is the default gateway for both subnets (server/local subnet)?

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

am.steen · ‎12-23-2018

The server on network 10.30.2.0 and access internet from the gateway 10.30.2.252 ( VLAN2 )

On the same router I have another network 10.30.7.0 with gateway 10.30.7.225 ( VLAN7 )

I need the server to access the internet on 10.30.2.252 and block access to the network 10.30.7.0

Except My PC at 10.30.7.250 it should access the server

am.steen · ‎12-24-2018

Is there any other settings to do the same task ??

Deepak Kumar · ‎12-25-2018

Hi,

IP access-list ext LAN-Server-Block
5 permit ip host 10.30.7.250 host 10.30.2.200
10 deny ip 10.30.7.0 0.0.0.255 host 10.30.2.200
20 permit ip any any

interface GigabitEthernet0/1.7
ip access-group LAN-Server-Block in

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Richard Burts · ‎12-25-2018

The original post identified 2 objectives. The discussion so far has focused on the second one. I would like to comment on the first one which was

I need to block it from access local network 10.30.2.0 only internet.

It seems to be saying that it wants to block the server from accessing the local network. The router is not able to block communication to the local network. To access the local network the server would simply arp for the destination and send the packets directly. The router plays no role in this and so is not able to block it. Or did I not understand the objective correctly.

[edit] I like the suggestion from Deepak. I originally thought that he had applied the access group on the vlan interface where the server is. But in reading the response again I realize that he is applying on the vlan interface of the server.

HTH

Rick

HTH

Rick

am.steen · ‎12-25-2018

First Of all thanks for your concern

In fact I try "LAN-Server-Block" but nothing happened

Even I try this but also not work :-

IP access-list ext LAN-Server-Block
5 permit ip host 10.30.2.200 host 10.30.7.250
10 deny ip 10.30.2.0 0.0.0.255 host 10.30.7.250
20 permit ip any any

interface GigabitEthernet0/1.2
ip access-group LAN-Server-Block in

but also not work

The Problem is that I have a web server at 10.30.2.200 accessible from out side ( Cloud )

So I need to isolate it from internal network for security , at the same time it should have internet and

Can be accessed from my PC for management.

The server in network 10.30.2.0 ( VLAN2 ) with gateway 10.30.2.252

My Local Network is 10.30.7.0 with gateway 10.30.7.225

So I need that network 10.30.2.0 should have internet and block everything else

on network 10.30.7.0 Except My PC at 10.30.7.250

If this require any change on sub interfaces or have another design to do that no problem.

Thanks

Richard Burts · ‎12-26-2018

We have had several different versions of what you want to accomplish. There was this one

I need the server to access the internet on 10.30.2.252 and block access to the network 10.30.7.0

Except My PC at 10.30.7.250 it should access the server

and there is this one

So I need that network 10.30.2.0 should have internet and block everything else

on network 10.30.7.0 Except My PC at 10.30.7.250

The changes suggested by Deepak should accomplish the first requirement. Also your version of LAN-Server-Block applied on the vlan 2 sub interface should have accomplished that. I am puzzled that you seem to indicate that neither approach worked.

If you really want the second requirement then you need to modify your ACL to look something like this

IP access-list ext LAN-Server-Block
5 permit ip host 10.30.2.200 host 10.30.7.250
10 deny ip 10.30.2.0 0.0.0.255 10.30.7.0 0.0.0.255
20 permit ip any any

and apply it in on gi0/1.2

HTH

Rick

HTH

Rick

am.steen · ‎12-26-2018

Mr. Richard

It Works like charm you save me.

Many thanks to you and others who helps me

Richard Burts · ‎12-27-2018

I am glad to know that you have solved your problem and that our suggestions pointed you toward the solution. Thank you for marking this discussion as solved. This will help other participants in the community to identify discussions that have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

HTH

Rick