We need an ACL for VLAN xxx traffic to not touch the internal network, as its for mobile phones, and likewise an ACL for ISP traffic to not reach any other VLAN than xxx. Correct. We do not have a PIX or firewall at the moment to use.

Based on your current acl it looks like the 10.74.126.0/24 subnet does not need to talk to anything internally except for maybe DHCP ? so - 

permit DHCP traffic (if needed)
deny ip 10.74.126.0/24 to any other internal subnets
permit ip 10.74.126.0/24 to any (for internet)

for the deny line you may need multiple lines or you may be able to summarise all internal subnets.

Then apply it inbound to the vlan 126 interface.

That said if this is internet traffic then you really need a firewall and shouldn't be connecting directly to your switch. 

Jon

Should also say that the acl for vlan 127 would stop any other internet working on that link but you did say you wanted to block everything except traffic to vlan 126. 

Jon

Ignore the ISP acl on vlan 127 because it will not be private IPs. 

Basically that acl will be - 

permit ip any host 207.91.252.xx

deny ip any any 

Jon

I can't stress enough that you really need a firewall for this as then you would not need an acl on vlan 127 because a firewall would allow the return traffic back in, it's what they are designed to do. 

You are relying purely on NAT for your security here ie. you can only send traffic from the internet if there is a corresponding NAT entry for traffic from vlan 126. 

NAT is not and never was a security feature. 

Jon 

Some progress...after adding:

access-list 100 permit ip 10.74.xxx.0 0.0.0.255 any

ip nat inside source list 100 interface Vlanxxx overload

and removing ACLs I get:

Pro Inside global Inside local Outside local Outside global
icmp 207.x.x.x:1024 10.x.x.x:30840 207.x.x.x:30840 207.x.x.x:1024

So I can now get to the GW, but nothing further?

If there are no acls and you cannot get past the gateway then looks like an issue with the ISP. 

So you can ping the ISP gateway but cannot ping any further ? 

What does a traceroute to an internet IP look like ? 

Jon

Do you have a default route pointing to the ISP gateway ? 

Jon

To belay fears we will be getting a FW soon, just need to get it up.

I do not have a route. I figured between inter VLAN routing it would cover it. 

Okay then it's not going to work because you need a default route pointing to the ISP gateway but you already have a default route pointing somewhere else. 

You may be able to use VRFs if they are supported on your switch but it would then also need to support VRF NAT as well. 

If you can use a VRF then if it is only vlan 126 that uses the ISP on vlan 127 you would not really need acls as traffic would be contained within that VRF. 

Jon

I guess a PBR or route map would not work. 

I see that our 9300s support inter-VRF routing any ideas on how one would configure such?

PBR should work as you could then set the next hop IP as the ISP gateway so if it was temporary until you got a firewall it may be the easiest thing to try. 

Not configured VRFs on 9300s but the documentation should have an example although again you then need NAT to work with it. 

May be worth trying the PBR first. 

Jon

hmm I took a laptop to ensure I could get out. I plugged in IP: 207.x.x.x with proper sub and GW and it works. So it has to be configuration wise.... I added the route map and wont get out. No ACLs on it. Clients can ping each other, can ping other internal VLAN clients, and I can ping GW of .25 and the VLAN IP of .28.... but it wont get out past the GW. 

Change this - 

set ip default next-hop 207.91.252.25

to - 

set ip next-hop 207.91.252.25

The set ip default next-hop says look in the IP routing table first then use that next hop which is not what you want, you want it to just use the next hop IP in your PBR configuration. 

Jon