Dear Seb, Thank you very much for your quick response. I've been testing some Zone Based Firewall configurations and these are definitely the solution to my problem! Thanks for your help! Olivier
... View more
Recently I bought a Cisco ISR 1921 to experiment a little with and eventually use as a home router. I am completely new to configuring Cisco routers so I thought this would be a good opportunity to learn (as I come from a pfSense environment). What I am trying to achieve is as follows: I have 4 vlans, that are all configured as subinterfaces of my gigabitethernet0/1: VLAN 10: 10.10.1.0/24 VLAN 20: 10.20.1.0/24 VLAN 30: 10.30.1.0/24 VLAN 40: 10.40.1.0/24 VLAN 10 should be able to access all other vlans + the internet All other vlans should not be able to access any other vlan but itself and the internet To allow for access to the internet, I have created a nat overload to the gigabitethernet0/0, which is working fine. At present, all vlans can access each other, which is not desireable. I have tried to limit the access between vlans using information that I found on forums, such as this post, but a problem that I run into every time is that from VLAN 10, I cannot access the other vlans (the other vlans cannot access each other or vlan 10, so that is working). I get the impression that my router is blocking return traffic, so for instance the response to a request from a VLAN 10 client to for vlan 20 server is blocked. I know that you can fix this for tcp by using a rule with the "established" keyword, but for instance icmp requests are also not working. I have read that you can use reflexive acls to circumvent this issue, but I am unsure how to configure these, so I would like to know if these are actually a solution to my problem, and if so, how I should configure them. Maybe it is also good to note that in the future, I would like to allow very specific machines to be allowed to communicate with each other, so for instance, a spam filter on vlan 30 should be able to reach a mail server on vlan 20. I hope that someone can help me with this issue. Thank you very much in advance for your efforts!
... View more