Range Internet access

said.ritel · ‎08-15-2017

Hi,

Currently I blocked Internet traffic (www and http) on the whole network but I want to allow a part of the network (192.168.1.1 - 192.168.1.20) to access the internet.

What order should be added to allow this range to go on the internet

This is my config:

interface GigabitEthernet0/1
description LAN
ip address 192.168.1.8 255.255.255.0
ip access-group 111 in

access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq www
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 111 permit ip any any

Mohammad Alhyari · ‎08-15-2017

Trying to figure the the logic behind your access list:

access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq www // deny http from inside lan
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 443 // deny https from inside lan
access-list 111 permit ip any any // allow anything else

Your requirements:

allow specific range from that subnet to access the internet:

You can use object groups with ranges to do that :

https://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html

add the lines referring to the object groups before the first and second deny:

ip access-list ext 111

1 permit <your object>