I have a Cisco 1900 router configured with 3 subinterfaces. I want one subinterface to only access the internet and not the other 2 interfaces. When I use access-group 130 in on the interface my users don't even get a DHCP lease, when I use access-group 130 out my clients can't reach any network. Any ideas on when I'm overlooking?
encapsulation dot1Q 240
ip address 192.168.240.1 255.255.255.0
ip access-group 130 in
ip nat inside
ip tcp adjust-mss 1452
no cdp enable
access-list 130 deny ip any 192.168.20.0 0.0.0.255
access-list 130 deny ip any 192.168.33.0 0.0.0.255
access-list 130 permit ip 192.168.240.0 0.0.0.255 any
Apply this inbound as you have in the example. Add the following to account for a DHCP request. Remember the client doesn't have an IP address when it sends a DHCP request, so it won't match the 192.168.240.0/24 permit any line.
access-list 130 permit udp any any eq 67
If your DHCP server is in 192.168.20.0/24 or 192.168.33.0/24 then this line must occur at the beginning of the ACL.