ACLS to block internet access

Hi Experts,
i need to block the access to internet to a network, that is a secondary network of the vlan1. The actual vlan1 details :
#sho ip inter vlan 1
Vlan1 is up, line protocol is up
  Internet address is
  Broadcast address is
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is enabled
  Secondary address
  Secondary address
  Secondary address
  Secondary address
  Secondary address
 and an access list that i tried to use :

Extended IP access list 101
    deny tcp any eq www
    permit ip any any

but i'm afraided that is not i need to apply it as access-group on vlan1 interface? And if yes...are we sure that it's affect only the www traffic and only in the network?
Any suggestion is really appreciated.

p.s. also an ACLS example :)
Who is Participating?
btassureConnect With a Mentor Commented:
Assuming you don't already have any ACLs in place then yes to both questions.
The ACL is already created so all you need to do is:
conf t
int vlan 1
ip access-group 101 in

Open in new window

u-boot96Author Commented:
thanks, now i have locked the internet to the network, but now i have another issue, becouse i need to grant the internet access to another network that it's again a secondary ip address of vlan1, but it's not allowed to our ISP to access internet. I think that i have to use nat. The isp allowed networks are,156.0,158.0,181.0,182.0. but not the 183.0. Is it possible to enable ip NAT inside between secondary addresses of the same vlan? Do i need virtual vlan?
You can NAT for specific ranges.

Set an outside interface: ip nat ouside
Set an inside interface (VLAN1): ip nat inside
Create a route-map to match ranges you want to permit:
route-map permit_nat permit 10
  match ip address <range 1>
  match ip address <range 2>
  match ip address <etc>
Setup NAT to use the route-map: ip nat inside source route-map permit_nat interface <outsinde interface> overload
Whoops, where "range 1, 2, etc" is a standard access list or prefix-list. IE:

access-list 1 permit
route-map permit_nat permit 10
 match ip address 1
All Courses

From novice to tech pro — start learning today.