Re: What's the procedure to limit a subnet on a Cisco router?

MyCheema057 · ‎09-05-2021

I have a Cisco 891F router. The internet is hooked up to G8. The student network is Vlan 200, and the Office is Vlan 100.

(I know the internet has an internal subnet (192.168.1.5), but that's because I'm testing in the lab.)

So the situation is that I have the internet on G8, and a classroom on vlan 200, with the office staff on vlan 100. I'm using NAT, actually, PAT, for each internal network and all is working well for internet access from both internal networks.

However, I need to add an ACL so that the 192.168.200.0/24 student network (vlan 200) can not see anything in the 192.168.151.0/24 office network (vlan 100).

I have not been able to find or work through anything with the "deny" along with the NAT that has the limited access described above.

Here is the interface and acl config: (any help is appreciated) -T

interface GigabitEthernet0
 switchport access vlan 100
 no ip address
!
interface GigabitEthernet1
 switchport access vlan 200
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 description To Internet
 ip address 192.168.1.5 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
interface Vlan100
 description Office Network
 ip address 192.168.151.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan200
 description Student Network
 ip address 192.168.200.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Async3
 no ip address
 encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 10 interface GigabitEthernet8 overload
ip nat inside source list 20 interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
access-list 10 permit 192.168.151.0 0.0.0.255
access-list 20 permit 192.168.200.0 0.0.0.255
!

Thanks

Georg Pauwen · ‎09-05-2021

Hello,

make the changes/additions marked in bold:

interface GigabitEthernet0
switchport access vlan 100
no ip address
!
interface GigabitEthernet1
switchport access vlan 200
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description To Internet
ip address 192.168.1.5 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan100
description Office Network
ip address 192.168.151.1 255.255.255.0
--> ip access-group 101 in
ip nat inside
ip virtual-reassembly in
!
interface Vlan200
description Student Network
ip address 192.168.200.1 255.255.255.0
--> ip access-group 102 in
ip nat inside
ip virtual-reassembly in
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
--> ip nat inside source list 10 interface GigabitEthernet8 overload
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
--> access-list 10 permit 192.168.151.0 0.0.0.255
--> access-list 10 permit 192.168.200.0 0.0.0.255
!
--> access-list 101 deny ip 192.168.151.0 0.0.0.255 192.168.200.0 0.0.0.255
--> access-list 101 permit 192.168.151.0 0.0.0.255 any
!
--> access-list 102 deny ip 192.168.200.0 0.0.0.255 192.168.151.0 0.0.0.255
--> access-list 102 permit 192.168.200.0 0.0.0.255 any