• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 330
  • Last Modified:

Access-List On Router To Restrict Intervlan Traffic

I have several offices that is connected via fiber, that I have recently put on VLANs to seperate the networks. I have one Cisco PIX that is doing NAT, then an INSIDE router (2610XM) that is doing DHCP, and also has the sub interfaces for my VLANs. As anyone knows, the way that I have it configured is going to allow traffic to pass between the networks. I am trying to stop traffic from passing between all of the VLANs, except for two IP addresses on my 10.8.0.0 network. Which is my router(10.8.0.1)  (which is currently working because it is my router) and my PIX (10.8.0.5).

The clients that pull IP addresses from my 10.8.0.1 VLAN works fine. However the clients on VLAN 3(10.3.0.0 network) can pull IP addresses, but cannot surf the web, or cannot ping the PIX. When I remove the access-list, it works fine, so I know that the VLANs are working properly, and the PIX is not blocking the traffic request. I have played with the access-lists for a bit and cannot seem to get them to work properly. Any help would be greatly appreicated.

Below is that last config that I tried to apply the Access-list to, and It blockes the intervlan traffic...but also blocks my internet connection, however I can ping 10.8.0.1, but not my PIX.


Cisco PIX - 10.8.0.5
Inside Router - 10.8.0.1



ip dhcp excluded-address 10.8.0.0 10.8.0.99
ip dhcp excluded-address 10.3.0.1 10.3.0.99
!
ip dhcp pool RLlan
   network 10.8.0.0 255.255.240.0
   default-router 10.8.0.1
   dns-server 10.8.0.2 205.244.200.3
!
ip dhcp pool VLAN3_Hotel_Staff
   network 10.3.0.0 255.255.255.0
   default-router 10.3.0.1
   dns-server 205.244.200.3 205.244.123.3
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 speed auto
 full-duplex
!
interface FastEthernet0/0.3
 description VLAN 3 Hotel Staff
 encapsulation dot1Q 3
 ip address 10.3.0.1 255.255.255.0
!
interface FastEthernet0/0.4
 description VLAN 4 Hotel Guest
 encapsulation dot1Q 4
 ip address 10.4.0.1 255.255.255.0
!
interface FastEthernet0/0.8
 description VLAN 1 Welcome Center
 encapsulation dot1Q 1 native
 ip address 10.8.0.1 255.255.240.0
 ip access-group 2 in
!
interface Serial0/0
 ip address 192.168.255.1 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.8.0.5
ip route 10.13.0.0 255.255.240.0 Serial0/0
ip http server
!

access-list 101 permit ip any host 10.8.0.1
access-list 101 permit ip any host 10.8.0.5
access-list 101 permit ip any host 10.3.0.1
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.8.0.0 0.0.0.255
access-list 101 permit ip any any

dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
dial-peer cor custom
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password
 login
!
end



0
hextex
Asked:
hextex
1 Solution
 
Dr-IPCommented:
The problem is you should create 3 access lists to do what you want it to do what. Each access list of course is applied to it respective interface.

It should be in the form, deny the other subnets, then permit any. You don’t have to add a permit for the router, or the PIX, because they are not the ultimate destination, and thus the packets are forwarded to them. Also it’s more secure this way since it blocks telnet access by the inside hosts to the firewall, but if you want to allow it from one of the subnets, or hosts, you can always add it.


access-list 101 deny ip 10.3.0.0 0.0.0.255 10.4.0.0 0.0.0.255
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.8.0.0 0.0.0.255
access-list 101 permit ip any any

access-list 102 deny ip 10.4.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 102 deny ip 10.4.0.0 0.0.0.255 10.8.0.0 0.0.0.255
access-list 102 permit ip any any

access-list 108 deny ip 10.8.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 108 deny ip 10.8.0.0 0.0.0.255 10.4.0.0 0.0.0.255
access-list 108 permit ip any any


0
 
hextexAuthor Commented:
Works like a charm...thank you very much!
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now