ACLS to block internet access

Posted on 2008-10-24
Last Modified: 2008-10-31
Hi Experts,
i need to block the access to internet to a network, that is a secondary network of the vlan1. The actual vlan1 details :
#sho ip inter vlan 1
Vlan1 is up, line protocol is up
  Internet address is
  Broadcast address is
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is enabled
  Secondary address
  Secondary address
  Secondary address
  Secondary address
  Secondary address
 and an access list that i tried to use :

Extended IP access list 101
    deny tcp any eq www
    permit ip any any

but i'm afraided that is not i need to apply it as access-group on vlan1 interface? And if yes...are we sure that it's affect only the www traffic and only in the network?
Any suggestion is really appreciated.

p.s. also an ACLS example :)
Question by:u-boot96
LVL 16

Accepted Solution

btassure earned 500 total points
ID: 22794993
Assuming you don't already have any ACLs in place then yes to both questions.
The ACL is already created so all you need to do is:
conf t
int vlan 1
ip access-group 101 in

Open in new window


Expert Comment

ID: 22796137

Author Comment

ID: 22797495
thanks, now i have locked the internet to the network, but now i have another issue, becouse i need to grant the internet access to another network that it's again a secondary ip address of vlan1, but it's not allowed to our ISP to access internet. I think that i have to use nat. The isp allowed networks are,156.0,158.0,181.0,182.0. but not the 183.0. Is it possible to enable ip NAT inside between secondary addresses of the same vlan? Do i need virtual vlan?
LVL 13

Expert Comment

ID: 22806425
You can NAT for specific ranges.

Set an outside interface: ip nat ouside
Set an inside interface (VLAN1): ip nat inside
Create a route-map to match ranges you want to permit:
route-map permit_nat permit 10
  match ip address <range 1>
  match ip address <range 2>
  match ip address <etc>
Setup NAT to use the route-map: ip nat inside source route-map permit_nat interface <outsinde interface> overload
LVL 13

Expert Comment

ID: 22806433
Whoops, where "range 1, 2, etc" is a standard access list or prefix-list. IE:

access-list 1 permit
route-map permit_nat permit 10
 match ip address 1

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question