ACLS to block internet access

Hi Experts,
i need to block the access to internet to a network, that is a secondary network of the vlan1. The actual vlan1 details :
#sho ip inter vlan 1
Vlan1 is up, line protocol is up
  Internet address is 10.72.128.254/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is enabled
  Secondary address 10.72.156.254/24
  Secondary address 10.72.181.254/24
  Secondary address 10.72.158.254/24
  Secondary address 10.72.183.254/24
  Secondary address 10.72.182.254/24
 
 and an access list that i tried to use :

Extended IP access list 101
    deny tcp 10.72.181.0 0.0.0.255 any eq www
    permit ip any any

but i'm afraided that is not working...do i need to apply it as access-group on vlan1 interface? And if yes...are we sure that it's affect only the www traffic and only in the 10.72.181.0/24 network?
Any suggestion is really appreciated.

p.s. also an ACLS example :)
u-boot96Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btassureCommented:
Assuming you don't already have any ACLs in place then yes to both questions.
The ACL is already created so all you need to do is:
conf t
int vlan 1
ip access-group 101 in
end

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
u-boot96Author Commented:
thanks, now i have locked the internet to the 10.72.181.0 network, but now i have another issue, becouse i need to grant the internet access to another network 10.72.183.0 that it's again a secondary ip address of vlan1, but it's not allowed to our ISP to access internet. I think that i have to use nat. The isp allowed networks are 10.72.128.0,156.0,158.0,181.0,182.0. but not the 183.0. Is it possible to enable ip NAT inside between secondary addresses of the same vlan? Do i need virtual vlan?
Thanks
0
QuoriCommented:
You can NAT for specific ranges.

Set an outside interface: ip nat ouside
Set an inside interface (VLAN1): ip nat inside
Create a route-map to match ranges you want to permit:
route-map permit_nat permit 10
  match ip address <range 1>
  match ip address <range 2>
  match ip address <etc>
!
Setup NAT to use the route-map: ip nat inside source route-map permit_nat interface <outsinde interface> overload
0
QuoriCommented:
Whoops, where "range 1, 2, etc" is a standard access list or prefix-list. IE:

access-list 1 permit 10.72.128.0 0.0.0.255
!
route-map permit_nat permit 10
 match ip address 1
!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.