We received a preconfigured router, however it was not configured correctly. Initially, our Guest and BYOD VLANs had no access to the internet. I added

access-list 130 permit ip 192.168.2.0 0.0.0.255 any
access-list 130 permit ip 192.168.3.0 0.0.0.255 any

And as expected, there is now internet access, but there is also access to  our internal network. Do I need to create a separate route-map or setup access groups? Or can I only allow traffic to 0.0.0.0 somehow instead of any? Or would I have to create deny rules?

Also the port forwarding doesn't work,  but I'm not sure this is the right place to ask about it.

The config

Building configuration...

Current configuration : 7506 bytes
!

!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NAME
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 172.17.43.1 172.17.43.75
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.3.1
!
ip dhcp pool V
network 172.17.43.0 255.255.255.0
default-router 172.17.43.1
dns-server 10.15.48.1 172.17.42.4 8.8.8.8
lease 15
!
ip dhcp pool V2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 172.17.43.7 8.8.8.8
lease 45
!
ip dhcp pool V3
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 8.8.8.8
!
!
!
ip domain name Domain.local
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 5
local name FS
ip mtu adjust
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-436626869
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-436626869
revocation-check none
rsakeypair TP-self-signed-436626869
!
!
crypto pki certificate chain TP-self-signed-436626869
certificate self-signed 01

quit
!
!
username user1 privilege 15 secret 5
username user2 privilege 7 password 0
username user3 privilege 15 secret 5
username user4 privilege 15 secret 5
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800

!
!
crypto ipsec transform-set TRANSFORMZ esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set TRANSFORMY esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map FMAP 10 ipsec-isakmp
set peer 2.3.4.5
set transform-set TRANSFORMZ
match address 111
crypto map FMAP 20 ipsec-isakmp
set peer 1.2.3.4
set transform-set TRANSFORMY
match address 113
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN Interface
ip address x.x.x.x 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map FMAP
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1.1
description LAN Interface
encapsulation dot1Q 1 native
ip address 172.17.43.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface GigabitEthernet0/1.2
description LAN Interface BYOD
encapsulation dot1Q 5
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface GigabitEthernet0/1.3
description LAN Interface FSS-Guest
encapsulation dot1Q 6
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface Virtual-Template5
ip unnumbered GigabitEthernet0/0
peer default ip address pool PPTP-POOL
ppp encrypt mppe auto
ppp authentication ms-chap-v2
!
ip local pool PPTP-POOL 10.20.100.1 10.20.100.254
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map NONAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 172.17.43.7 1194 x.x.x.x 1194 extendable
ip nat inside source static udp 172.17.43.7 1194 x.x.x.x 1194 extendable
ip route 0.0.0.0 0.0.0.0 5.5.5.1
!
!
route-map NONAT permit 10
match ip address 130
!
!
access-list 1 permit 172.17.43.0 0.0.0.255
access-list 23 permit 3.4.5.6
access-list 23 permit 5.4.3.2
access-list 23 permit 4.3.2.1
access-list 23 permit 172.17.43.0 0.0.0.255
access-list 23 permit 8.7.6.5 0.0.0.1
access-list 23 permit 7.6.5.4 0.0.0.1
access-list 23 permit 9.8.7.6 0.0.0.1
access-list 111 permit ip 172.17.43.0 0.0.0.255 10.15.48.0 0.0.0.255
access-list 113 permit ip 172.17.43.0 0.0.0.255 172.17.42.0 0.0.0.255
access-list 130 deny ip 172.17.43.0 0.0.0.255 10.15.48.0 0.0.0.255
access-list 130 deny ip 172.17.43.0 0.0.0.255 172.17.42.0 0.0.0.255
access-list 130 permit ip 172.17.43.0 0.0.0.255 any
access-list 130 permit ip 192.168.2.0 0.0.0.255 any
access-list 130 permit ip 192.168.3.0 0.0.0.255 any
!
control-plane
!
!
banner motd ^CCCCC

******************************************
* LEGAL NOTICE *
******************************************

blahblah
^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end