Cisco ACL - Restrict a subnet to access only one host on another subnet

I have two VLANs setup using a Catalyst switch and using a 2621 using subinterfaces to route the VLANs.  We also have a PIX506

The basic routing works.

Both subnets use the PIX506 for their default gateway (

Subnet 1 = (10.1.199.x/24)
Subnet 2 = (10.1.250.x/24)

I would like to restrict "subnet 2"s hosts from seeing "subnet 1"s hosts, but because subnet 2 needs to access the PIX for INternet, I would like to see if subnet 2's gateway ( can forward to (PIX GW) without giving access to the rest of

I am assuming (Newbie thought) that the PIX does not support encapsulation like the Router for subinterfaces...

THanks in advance...

Who is Participating?
set up an ACL so that subnet 2 cannot get to subnet 1

a little rusty but something like this (this may not work on the PIX)

create this access list
access-list 110 permit ip
access-list 110 deny ip 0.0.0255
access-list 110 permit any any

then apply it to the subnet 2 interface on your router ( i believe you are using your pix as a router)

I know that my code is a little rough but here is what it is going to do.
1st allow any address from the sub2 to get to the default gateway.
2nd it will stop sub2 from routing to sub1
finally it will allow sub2 to go anywhere else.

If someone else could please help and clean this up a bit thanks.

That won't work.  ACLs are processed in line order.  You need to add the specific host permit after the subnet is blocked.  Otherwise, it's wiped out by the subnet deny statement.
as you just said ACLs are processed in line order. correct me if Im wrong but if you block the subnet before you allow the particular host the host will never get access. As soon as one of the statements is matched the rest of the list does not matter. I dont know how ACLs work on the PIX.
if it is wrong. help out and make the corrections.

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

If you permit a host then deny the network you just denied the host because he's part of the network.  You have to permit the host after you deny the network.
tymaker's access list is correct. Doesn't need any clean up :)

When the packet for the gateway arrives, first rule in the access list is matched and traffic is allowed.
When the packet for rest of the network arrives, the first rule is not matches so the process moves to next rule which is then matched and traffic is blocked.

First ACL entry is allowing host only.
Second ACL entry is deny rest of the subnet.
Yes tymkoder acl is correct once a match is made it stops processing it and forwards or drops the packet.

-= Felix =-
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.