Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


ACLS to block internet access

Posted on 2008-10-24
Medium Priority
Last Modified: 2008-10-31
Hi Experts,
i need to block the access to internet to a network, that is a secondary network of the vlan1. The actual vlan1 details :
#sho ip inter vlan 1
Vlan1 is up, line protocol is up
  Internet address is
  Broadcast address is
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is enabled
  Secondary address
  Secondary address
  Secondary address
  Secondary address
  Secondary address
 and an access list that i tried to use :

Extended IP access list 101
    deny tcp any eq www
    permit ip any any

but i'm afraided that is not i need to apply it as access-group on vlan1 interface? And if yes...are we sure that it's affect only the www traffic and only in the network?
Any suggestion is really appreciated.

p.s. also an ACLS example :)
Question by:u-boot96
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 16

Accepted Solution

btassure earned 2000 total points
ID: 22794993
Assuming you don't already have any ACLs in place then yes to both questions.
The ACL is already created so all you need to do is:
conf t
int vlan 1
ip access-group 101 in

Open in new window


Author Comment

ID: 22797495
thanks, now i have locked the internet to the network, but now i have another issue, becouse i need to grant the internet access to another network that it's again a secondary ip address of vlan1, but it's not allowed to our ISP to access internet. I think that i have to use nat. The isp allowed networks are,156.0,158.0,181.0,182.0. but not the 183.0. Is it possible to enable ip NAT inside between secondary addresses of the same vlan? Do i need virtual vlan?
LVL 13

Expert Comment

ID: 22806425
You can NAT for specific ranges.

Set an outside interface: ip nat ouside
Set an inside interface (VLAN1): ip nat inside
Create a route-map to match ranges you want to permit:
route-map permit_nat permit 10
  match ip address <range 1>
  match ip address <range 2>
  match ip address <etc>
Setup NAT to use the route-map: ip nat inside source route-map permit_nat interface <outsinde interface> overload
LVL 13

Expert Comment

ID: 22806433
Whoops, where "range 1, 2, etc" is a standard access list or prefix-list. IE:

access-list 1 permit
route-map permit_nat permit 10
 match ip address 1

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question