Block access from other subnets 2921 router

Roger Richards · ‎02-14-2014

Good day,

I have a 2921 router...

I got many subnets on network.. What I want to do is block access to one of my networks and allow all other subnets to browse the web.

I have;

192.168.4.0/24

10.20.50.0/24

10.20.40.0/24

10.20.30.0/24

10.20.60.0/24

I want to block access to 10.20.60.0 from all other networks while allowing them to access the internet

John Blakley · ‎02-14-2014

We may need more information. Are you wanting to do this on the router? Is the router split out into subinterfaces or are all of these subnets on one interface? Are these subnets on the lan or wan side? Do you have a L3 switch?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

JohnTylerPearce · ‎02-14-2014

My first question is, do you have any webapps that users use? Or would any site they visit be on the Internet?

The reason why I ask, is this could be done pretty quick.

Also, how are the interfaces laid out? Do you have a single inside LAN interface and an outside WAN interface?

Jon Marshall · ‎02-14-2014

John's

Have to nip out but it is subinterfaces on the LAN interface of the 2921 for each subnet.

No L3 switch inter vlan routing. 2921 connected to internal L2 switch on LAN and WAN interface connects to ASA inside interface.

Over to you

Jon

John Blakley · ‎02-14-2014

Lol! What? How did you get all of that from this post??

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

JohnTylerPearce · ‎02-14-2014

Jon,

This is a John only thread, please remove yourself. We don't need and "Jons".

John Blakley · ‎02-14-2014

There are a lot of John's here

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎02-14-2014

John

This is a John only thread, please remove yourself. We don't need and "Jons".

Message received and understood. I'll just quietly disappear....

Jon

Jon Marshall · ‎02-14-2014

Lol! What? How did you get all of that from this post??

I thought it was pretty obvious myself

I helped Roger reconfigure his network in a a couple of rather long posts a while back so i remember it. Come to think of it not sure about the 192.168.4.0/24 network being a subinterface so i'll check one of the posts.

Jon

JohnTylerPearce · ‎02-14-2014

If what "Jon" said is correct you could do something like the following.

ip access-list extended VLAN20_ACL

deny ip 10.20.50.0 0.0.0.255 10.20.60.0 0.0.0.255

permit ip any any

ip access-list extended VLAN20_ACL

deny ip 10.20.40.0 0.0.0.255 10.20.60.0 0.0.0.255

permit ip any any

ip access-list extended VLAN20_ACL

deny ip 10.20.30.0 0.0.0.255 10.20.60.0 0.0.0.255

permit ip any any

ip access-list extended VLAN20_ACL

deny ip 192.168.4.0 0.0.0.255 10.20.60.0 0.0.0.255

permit ip any any

int vlan 20

access-group in VLAN20_ACL

int vlan 30

access-group in VLAN30_ACL

Now technically, 10.20.60.0/24 could still get to the other subnets, but the return traffic would be blocked.

And you could always change the permit ip any any to just HTTP traffic, etc. Depends on what you want to do.

Although it might be a better idea to configure ACLs on the firewall. It would be easier to manage that way. If traffic has to go up to the ASA to get back to the other subnets.

blau grana · ‎02-14-2014

sorry to interupt johns,

but I would use VRF-lite feature here, just put subnet 10.20.60.0/24 into vrf and you don't have tu maintain numbers of ACLs.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Jon Marshall · ‎02-14-2014

Okay, here is a link to the network layout although it is not as i remember it (ie. it is't showing most of the subnets mentioned) so probably best to wait on Roger to confirm where the subnets actually are -

https://supportforums.cisco.com/thread/2264234

apologies if i confused the issue.

Jon

John Blakley · ‎02-14-2014

Thanks for that Jon You cleared the issue up, and it looks like John Tyler has given a correct answer. Technically this should be all that's needed.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎02-14-2014

Think i just managed to confuse the issue.

The idea was i needed to do something else and if there were multiple posts i might not be around to reply so i just wanted to help get a quicker response for Roger.

Looking at the diagram it looks more complex because i don't think all the subnets are on the router so an acl applied outbound to the 10.20.60.x vlan/IP subnet might be easier although it's hard to say without more details.

Jon

Roger Richards · ‎02-14-2014

WOW... I stepped out to lunch and got all of this lol.. thanks for the help... Let me take a good look at those acls...