Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14199
Views
0
Helpful
3
Replies

Using ACL to block access to other internal networks

Go to solution
pointless_l
Beginner
Beginner

‎10-26-2010 09:20 AM - edited ‎03-06-2019 01:44 PM

I have a Cisco 1900 router configured with 3 subinterfaces. I want one subinterface to only access the internet and not the other 2 interfaces. When I use access-group 130 in on the interface my users don't even get a DHCP lease, when I use access-group 130 out my clients can't reach any network. Any ideas on when I'm overlooking?

interface GigabitEthernet0/0.3

encapsulation dot1Q 240

ip address 192.168.240.1 255.255.255.0

ip access-group 130 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

no cdp enable

!

access-list 130 deny   ip any 192.168.20.0 0.0.0.255

access-list 130 deny   ip any 192.168.33.0 0.0.0.255

access-list 130 permit ip 192.168.240.0 0.0.0.255 any

Any help is much appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gatlin007
Enthusiast
Enthusiast

‎10-26-2010 10:49 AM

Apply this inbound as you have in the example.  Add the following to account for a DHCP request.  Remember the client doesn't have an IP address when it sends a DHCP request, so it won't match the 192.168.240.0/24 permit any line.

access-list 130 permit udp any any eq 67

If your DHCP server is in 192.168.20.0/24 or 192.168.33.0/24 then this line must occur at the beginning of the ACL.


Chris

View solution in original post