Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Cisco ACL - Restrict a subnet to access only one host on another subnet

Posted on 2004-10-21
Medium Priority
Last Modified: 2013-11-16
I have two VLANs setup using a Catalyst switch and using a 2621 using subinterfaces to route the VLANs.  We also have a PIX506

The basic routing works.

Both subnets use the PIX506 for their default gateway (

Subnet 1 = (10.1.199.x/24)
Subnet 2 = (10.1.250.x/24)

I would like to restrict "subnet 2"s hosts from seeing "subnet 1"s hosts, but because subnet 2 needs to access the PIX for INternet, I would like to see if subnet 2's gateway ( can forward to (PIX GW) without giving access to the rest of

I am assuming (Newbie thought) that the PIX does not support encapsulation like the Router for subinterfaces...

THanks in advance...

Question by:mutso
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1

Accepted Solution

tymkoder earned 2000 total points
ID: 12374886
set up an ACL so that subnet 2 cannot get to subnet 1

a little rusty but something like this (this may not work on the PIX)

create this access list
access-list 110 permit ip
access-list 110 deny ip 0.0.0255
access-list 110 permit any any

then apply it to the subnet 2 interface on your router ( i believe you are using your pix as a router)

I know that my code is a little rough but here is what it is going to do.
1st allow any address from the sub2 to get to the default gateway.
2nd it will stop sub2 from routing to sub1
finally it will allow sub2 to go anywhere else.

If someone else could please help and clean this up a bit thanks.


Expert Comment

ID: 12380327
That won't work.  ACLs are processed in line order.  You need to add the specific host permit after the subnet is blocked.  Otherwise, it's wiped out by the subnet deny statement.

Expert Comment

ID: 12382208
as you just said ACLs are processed in line order. correct me if Im wrong but if you block the subnet before you allow the particular host the host will never get access. As soon as one of the statements is matched the rest of the list does not matter. I dont know how ACLs work on the PIX.
if it is wrong. help out and make the corrections.

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.


Expert Comment

ID: 12384534
If you permit a host then deny the network you just denied the host because he's part of the network.  You have to permit the host after you deny the network.

Expert Comment

ID: 12385466
tymaker's access list is correct. Doesn't need any clean up :)

When the packet for the gateway arrives, first rule in the access list is matched and traffic is allowed.
When the packet for rest of the network arrives, the first rule is not matches so the process moves to next rule which is then matched and traffic is blocked.

First ACL entry is allowing host only.
Second ACL entry is deny rest of the subnet.

Expert Comment

ID: 12385475

Expert Comment

ID: 12387518
Yes tymkoder acl is correct once a match is made it stops processing it and forwards or drops the packet.

-= Felix =-

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question