Hi

I have 2 network X1 and X2, I have been trying to make a access-list that deny all trafic fra the X2 network to the X1 network, but the X2 network have to have connection to the internet.

My access list is working, but just to well because the host on the X2 network cant get any ip address from the X2 dhcp pool, and I cant see why, if I remove my access lists then the pool is working, but the the X2 network can access the X1 network and that is not great.

Here is some of my running config:

Building configuration...

Current configuration : 6025 bytes

!

dot11 syslog

ip source-route

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.0.1

ip dhcp excluded-address 10.0.0.2

ip dhcp excluded-address 10.0.0.3

ip dhcp excluded-address 10.0.0.4

ip dhcp excluded-address 10.0.0.5

!

ip dhcp pool x1

   network 10.0.0.0 255.255.0.0

   dns-server 8.8.8.8 8.8.4.4

   default-router 10.0.0.1

!

ip dhcp pool x2

   network 172.168.1.0 255.255.255.0

   default-router 172.168.1.1

   dns-server 8.8.8.8 8.8.4.4

!

!

multilink bundle-name authenticated

!

interface FastEthernet0/0

description Link_To_Outside(xxxxx)

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1.10

description x1

encapsulation dot1Q 10

ip address 10.0.0.1 255.255.0.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1.20

description x2

encapsulation dot1Q 20

ip address 172.168.1.1 255.255.255.0

ip access-group 101 in

ip nat inside

ip virtual-reassembly

!

ip dns server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source list 101 interface FastEthernet0/0 overload

!

access-list 1 permit 10.0.0.0 0.0.255.255

access-list 101 deny   ip 172.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255

access-list 101 permit ip 172.168.1.0 0.0.0.255 any

!

Hope anyone can help

/Benjamin