ACLS to block internet access

Hi Experts,
i need to block the access to internet to a network, that is a secondary network of the vlan1. The actual vlan1 details :
#sho ip inter vlan 1
Vlan1 is up, line protocol is up
  Internet address is 10.72.128.254/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is enabled
  Secondary address 10.72.156.254/24
  Secondary address 10.72.181.254/24
  Secondary address 10.72.158.254/24
  Secondary address 10.72.183.254/24
  Secondary address 10.72.182.254/24
 
 and an access list that i tried to use :

Extended IP access list 101
    deny tcp 10.72.181.0 0.0.0.255 any eq www
    permit ip any any

but i'm afraided that is not working...do i need to apply it as access-group on vlan1 interface? And if yes...are we sure that it's affect only the www traffic and only in the 10.72.181.0/24 network?
Any suggestion is really appreciated.

p.s. also an ACLS example :)
u-boot96Asked:
Who is Participating?
 
btassureConnect With a Mentor Commented:
Assuming you don't already have any ACLs in place then yes to both questions.
The ACL is already created so all you need to do is:
conf t
int vlan 1
ip access-group 101 in
end

Open in new window

0
 
u-boot96Author Commented:
thanks, now i have locked the internet to the 10.72.181.0 network, but now i have another issue, becouse i need to grant the internet access to another network 10.72.183.0 that it's again a secondary ip address of vlan1, but it's not allowed to our ISP to access internet. I think that i have to use nat. The isp allowed networks are 10.72.128.0,156.0,158.0,181.0,182.0. but not the 183.0. Is it possible to enable ip NAT inside between secondary addresses of the same vlan? Do i need virtual vlan?
Thanks
0
 
QuoriCommented:
You can NAT for specific ranges.

Set an outside interface: ip nat ouside
Set an inside interface (VLAN1): ip nat inside
Create a route-map to match ranges you want to permit:
route-map permit_nat permit 10
  match ip address <range 1>
  match ip address <range 2>
  match ip address <etc>
!
Setup NAT to use the route-map: ip nat inside source route-map permit_nat interface <outsinde interface> overload
0
 
QuoriCommented:
Whoops, where "range 1, 2, etc" is a standard access list or prefix-list. IE:

access-list 1 permit 10.72.128.0 0.0.0.255
!
route-map permit_nat permit 10
 match ip address 1
!
0
All Courses

From novice to tech pro — start learning today.