Solved: Block traffic from subnet A to subnet B

jangydb98 · ‎05-16-2017

Hello,

I would like to block the traffic from the subnet 172.20.50.0/24 on GigabitEth0/1 to the subnet 10.10.0.0/24 on GigabitEth0/0.

I try it but doesn't block the traffic, this is my config, on a 2821 router.

Thanks for help

Building configuration...

Current configuration : 2386 bytes
!
! Last configuration change at 07:53:29 UTC Tue May 16 2017 by admin
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname dbrouter
!
boot-start-marker
boot-end-marker
!
enable password ********
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
ip dhcp pool lan
network 10.10.0.0 255.255.255.0
default-router 10.10.0.1
dns-server 8.8.8.8 208.67.222.222
lease 5
!
!
ip domain name *******
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid ********* sn ********
archive
log config
hidekeys
username admin privilege 15 secret 5 *******.
!
redundancy
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map WWW
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 172.20.50.1 255.255.255.0
ip access-group 101 out
ip nat inside
ip virtual-reassembly
ip policy route-map WWW
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname @alicebiz.routed
ppp chap password 0 @alicebiz.routed
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat translation timeout 420
ip nat translation tcp-timeout 120
ip nat translation pptp-timeout 420
ip nat translation udp-timeout 120
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 5000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 permit 10.10.0.0 0.0.0.255
access-list 101 deny ip 172.20.50.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0
exec-timeout 40 0
password greanes98
logging synchronous
login local
transport input ssh
line vty 1 4
password ********
login local
transport input ssh
!
scheduler allocate 20000 1000
end

Mark Malone · ‎05-16-2017

Hi

try

access-list 101 deny ip 172.20.50.0 0.0.0.255 10.10.0.0 0.0.0.255

access-list 101 deny ip 10.10.0.0 0.0.0.255 172.20.50.0 0.0.0.255
access-list 101 permit ip any any

Then under each interface add

ip access-group 101 in

ip access-group 101 out

View solution in original post

chrihussey · ‎05-16-2017

Believe you need to apply the ACL inbound and not outbound.

Also you are denying 172.20.50.0/24 to 10.x.x.x anything, and not 10.10..0.x /24 with your current masking. If just 10.10.o.x /24 then:

access-list 101 deny ip 172.20.50.0 0.0.0.255 10.10.0.0 0.0.0.255
access-list 101 permit ip any any

Hope this helps