Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14481
Views
0
Helpful
3
Replies

Using ACL to block access to other internal networks

Go to solution
pointless_l
Level 1
Level 1

‎10-26-2010 09:20 AM - edited ‎03-06-2019 01:44 PM

I have a Cisco 1900 router configured with 3 subinterfaces. I want one subinterface to only access the internet and not the other 2 interfaces. When I use access-group 130 in on the interface my users don't even get a DHCP lease, when I use access-group 130 out my clients can't reach any network. Any ideas on when I'm overlooking?

interface GigabitEthernet0/0.3

encapsulation dot1Q 240

ip address 192.168.240.1 255.255.255.0

ip access-group 130 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

no cdp enable

!

access-list 130 deny   ip any 192.168.20.0 0.0.0.255

access-list 130 deny   ip any 192.168.33.0 0.0.0.255

access-list 130 permit ip 192.168.240.0 0.0.0.255 any

Any help is much appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gatlin007
Level 4
Level 4

‎10-26-2010 10:49 AM

Apply this inbound as you have in the example.  Add the following to account for a DHCP request.  Remember the client doesn't have an IP address when it sends a DHCP request, so it won't match the 192.168.240.0/24 permit any line.

access-list 130 permit udp any any eq 67

If your DHCP server is in 192.168.20.0/24 or 192.168.33.0/24 then this line must occur at the beginning of the ACL.


Chris

View solution in original post

0 Helpful
3 Replies 3

Go to solution
gatlin007
Level 4
Level 4

‎10-26-2010 10:49 AM

Apply this inbound as you have in the example.  Add the following to account for a DHCP request.  Remember the client doesn't have an IP address when it sends a DHCP request, so it won't match the 192.168.240.0/24 permit any line.

access-list 130 permit udp any any eq 67

If your DHCP server is in 192.168.20.0/24 or 192.168.33.0/24 then this line must occur at the beginning of the ACL.


Chris

0 Helpful

Go to solution
pointless_l
Level 1
Level 1
In response to gatlin007

‎10-29-2010 08:45 AM

Thanks Chris, that worked flawlessly!

0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7

‎10-26-2010 10:57 AM

You should use "access-group 130 in" based on your description.

Where is your dhcp server? You can change acl 130 as following and then check the log to see what is denied for DHCP. Then enable it accordingly.

access-list 130 deny   ip any 192.168.20.0 0.0.0.255

access-list 130 deny   ip any 192.168.33.0 0.0.0.255

access-list 130 permit ip 192.168.240.0 0.0.0.255 any

access-list 130 deny any any log

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card