Cisco ACL - Restrict a subnet to access only one host on another subnet

Posted on 2004-10-21
Last Modified: 2013-11-16
I have two VLANs setup using a Catalyst switch and using a 2621 using subinterfaces to route the VLANs.  We also have a PIX506

The basic routing works.

Both subnets use the PIX506 for their default gateway (

Subnet 1 = (10.1.199.x/24)
Subnet 2 = (10.1.250.x/24)

I would like to restrict "subnet 2"s hosts from seeing "subnet 1"s hosts, but because subnet 2 needs to access the PIX for INternet, I would like to see if subnet 2's gateway ( can forward to (PIX GW) without giving access to the rest of

I am assuming (Newbie thought) that the PIX does not support encapsulation like the Router for subinterfaces...

THanks in advance...

Question by:mutso
    LVL 1

    Accepted Solution

    set up an ACL so that subnet 2 cannot get to subnet 1

    a little rusty but something like this (this may not work on the PIX)

    create this access list
    access-list 110 permit ip
    access-list 110 deny ip 0.0.0255
    access-list 110 permit any any

    then apply it to the subnet 2 interface on your router ( i believe you are using your pix as a router)

    I know that my code is a little rough but here is what it is going to do.
    1st allow any address from the sub2 to get to the default gateway.
    2nd it will stop sub2 from routing to sub1
    finally it will allow sub2 to go anywhere else.

    If someone else could please help and clean this up a bit thanks.

    LVL 5

    Expert Comment

    That won't work.  ACLs are processed in line order.  You need to add the specific host permit after the subnet is blocked.  Otherwise, it's wiped out by the subnet deny statement.
    LVL 1

    Expert Comment

    as you just said ACLs are processed in line order. correct me if Im wrong but if you block the subnet before you allow the particular host the host will never get access. As soon as one of the statements is matched the rest of the list does not matter. I dont know how ACLs work on the PIX.
    if it is wrong. help out and make the corrections.

    LVL 5

    Expert Comment

    If you permit a host then deny the network you just denied the host because he's part of the network.  You have to permit the host after you deny the network.
    LVL 1

    Expert Comment

    tymaker's access list is correct. Doesn't need any clean up :)

    When the packet for the gateway arrives, first rule in the access list is matched and traffic is allowed.
    When the packet for rest of the network arrives, the first rule is not matches so the process moves to next rule which is then matched and traffic is blocked.

    First ACL entry is allowing host only.
    Second ACL entry is deny rest of the subnet.
    LVL 1

    Expert Comment

    LVL 3

    Expert Comment

    Yes tymkoder acl is correct once a match is made it stops processing it and forwards or drops the packet.

    -= Felix =-

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Anonabox PRO Tor & VPN Router

    PRO is the most advanced way to fortify your privacy and online anonymity by layering the Tor network with VPN services. Use both together or separately, and without needing to download software onto your devices.

    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    875 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now