Access-List On Router To Restrict Intervlan Traffic

I have several offices that is connected via fiber, that I have recently put on VLANs to seperate the networks. I have one Cisco PIX that is doing NAT, then an INSIDE router (2610XM) that is doing DHCP, and also has the sub interfaces for my VLANs. As anyone knows, the way that I have it configured is going to allow traffic to pass between the networks. I am trying to stop traffic from passing between all of the VLANs, except for two IP addresses on my 10.8.0.0 network. Which is my router(10.8.0.1)  (which is currently working because it is my router) and my PIX (10.8.0.5).

The clients that pull IP addresses from my 10.8.0.1 VLAN works fine. However the clients on VLAN 3(10.3.0.0 network) can pull IP addresses, but cannot surf the web, or cannot ping the PIX. When I remove the access-list, it works fine, so I know that the VLANs are working properly, and the PIX is not blocking the traffic request. I have played with the access-lists for a bit and cannot seem to get them to work properly. Any help would be greatly appreicated.

Below is that last config that I tried to apply the Access-list to, and It blockes the intervlan traffic...but also blocks my internet connection, however I can ping 10.8.0.1, but not my PIX.


Cisco PIX - 10.8.0.5
Inside Router - 10.8.0.1



ip dhcp excluded-address 10.8.0.0 10.8.0.99
ip dhcp excluded-address 10.3.0.1 10.3.0.99
!
ip dhcp pool RLlan
   network 10.8.0.0 255.255.240.0
   default-router 10.8.0.1
   dns-server 10.8.0.2 205.244.200.3
!
ip dhcp pool VLAN3_Hotel_Staff
   network 10.3.0.0 255.255.255.0
   default-router 10.3.0.1
   dns-server 205.244.200.3 205.244.123.3
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 speed auto
 full-duplex
!
interface FastEthernet0/0.3
 description VLAN 3 Hotel Staff
 encapsulation dot1Q 3
 ip address 10.3.0.1 255.255.255.0
!
interface FastEthernet0/0.4
 description VLAN 4 Hotel Guest
 encapsulation dot1Q 4
 ip address 10.4.0.1 255.255.255.0
!
interface FastEthernet0/0.8
 description VLAN 1 Welcome Center
 encapsulation dot1Q 1 native
 ip address 10.8.0.1 255.255.240.0
 ip access-group 2 in
!
interface Serial0/0
 ip address 192.168.255.1 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.8.0.5
ip route 10.13.0.0 255.255.240.0 Serial0/0
ip http server
!

access-list 101 permit ip any host 10.8.0.1
access-list 101 permit ip any host 10.8.0.5
access-list 101 permit ip any host 10.3.0.1
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.8.0.0 0.0.0.255
access-list 101 permit ip any any

dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
dial-peer cor custom
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password
 login
!
end



hextexAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr-IPCommented:
The problem is you should create 3 access lists to do what you want it to do what. Each access list of course is applied to it respective interface.

It should be in the form, deny the other subnets, then permit any. You don’t have to add a permit for the router, or the PIX, because they are not the ultimate destination, and thus the packets are forwarded to them. Also it’s more secure this way since it blocks telnet access by the inside hosts to the firewall, but if you want to allow it from one of the subnets, or hosts, you can always add it.


access-list 101 deny ip 10.3.0.0 0.0.0.255 10.4.0.0 0.0.0.255
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.8.0.0 0.0.0.255
access-list 101 permit ip any any

access-list 102 deny ip 10.4.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 102 deny ip 10.4.0.0 0.0.0.255 10.8.0.0 0.0.0.255
access-list 102 permit ip any any

access-list 108 deny ip 10.8.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 108 deny ip 10.8.0.0 0.0.0.255 10.4.0.0 0.0.0.255
access-list 108 permit ip any any


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hextexAuthor Commented:
Works like a charm...thank you very much!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.