Access-List

I have vlan2 and 3 routed by a router thru a simple trunk link f0/1.  Both vlans can see  each other and browse the Internet thru f0/0 which connects to ISP's router.
To limit access of vlan3 to vlan2,  I create an access-list:

access-list 112 deny ip 192.168.3.0 0.0.0.225 192.168.2.0 0.0.0.255
access-list 112 permit tcp any any established
access-list 112 permit icmp any any echo-reply
access-list 112 deny icmp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

It works exactly how I want:  vlan2 can ping and access vlan3 but not in reverse.

But a problem comes up:
Vlan3 is no loger able to browse the Internet, Vlan2 is OK.

Please help me what to do.  This is my router configuration:

version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
enable password cisco
!
ip subnet-zero
!
call rsvp-sync
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat outside
 duplex auto
 speed 100
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 no ip address
 speed 100
 full-duplex
!
interface FastEthernet0/1.1
 description vlan 2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
!
interface FastEthernet0/1.2
 description vlan 3
 encapsulation dot1Q 3
 ip address 192.168.3.1 255.255.255.0
 ip access-group 112 in
 ip nat inside
!
ip nat pool lab 192.168.1.18 192.168.1.18 netmask 255.255.255.0
ip nat inside source list 10 pool lab overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
no ip http server
!
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 10 permit 192.168.3.0 0.0.0.255
access-list 112 deny   ip 192.168.3.0 0.0.0.225 192.168.2.0 0.0.0.255
access-list 112 permit tcp any any established
access-list 112 permit icmp any any echo-reply
access-list 112 deny   icmp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
end



Thank you
SavvisAsked:
Who is Participating?
 
MrJemsonConnect With a Mentor Commented:
There is a typo in the original list with the subnet mask!

This: access-list 112 deny   ip 192.168.3.0 0.0.0.225 192.168.2.0 0.0.0.255
Should be this: access-list 112 deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

-----

Here is the correct List:

access-list 112 permit tcp any any established
access-list 112 permit icmp any any echo-reply
access-list 112 deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 112 deny   icmp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 112 permit ip 192.168.3.0 0.0.0.255 any

I believe this access-list will solve your problem.
0
 
saba11Commented:
Hi, There is an implicit deny statement at the end of every access list therefore you will need to allow VLAN 3 to have access to everything else.

I would group my deny statements first and then have a permit IP any any at the end.

Or

Permit IP 192.168.3.0 0.0.0.255 any.
0
 
pschakravarthiCommented:
Hi
If problem persist, send traceroute details of any internet site (like google.com) from vlan 3
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
SavvisAuthor Commented:
Hi Sabat11

I already tried those 2 statements, the Internet browsing works but now vlan3 can access vlan2,  that's
not the way I want.

Thanks
0
 
MrJemsonCommented:
Order in access lists is important!

An access list will pass from top to bottom and will stop at the first matching statement.

Place your access list in this order and it should work:

access-list 112 permit tcp any any established
access-list 112 permit icmp any any echo-reply
access-list 112 deny   ip 192.168.3.0 0.0.0.225 192.168.2.0 0.0.0.255
access-list 112 deny   icmp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 112 permit ip 192.168.3.0 0.0.0.255 any

Please let me know what happens if this does not solve your problem.
0
 
saba11Commented:
Hi, As I mentioned in my previous post you will need to order your access list so that more specific matches are done at the beginning and a blanket statement is left right at the end, You can't add to your existing access list as it won't fall in the right place that is the sequence number. You will need to remove the existing and modify them in a notepad in the correct order and paste them back in and it should work.

Thanks
0
 
SavvisAuthor Commented:
Hi MrJemson,
I copy and paste the access-list in that order.
The results:  
                 
vlan3 can browe the Internet
                  vlan3 cannot ping vlan2
                  vlan3 is able to access vlan3 (i.e mapping a drive)
0
 
SavvisAuthor Commented:
Mr MrJemson,

Sorry I hit a wrong button.  
Everything OK but the problem is now vlan3 can access vlan2 ( that's is what I try not to)

Thanks
 
0
 
MrJemsonCommented:
So is this working correctly?

vlan3 can browe the Internet
                  vlan3 cannot ping vlan2
                  vlan3 is able to access vlan3 (i.e mapping a drive)
0
 
SavvisAuthor Commented:
Hi Sabat11,

Yes I did exactly what you mentioned:
First I removed the access-list, then carfully wri mem
Then created an access-list on notepad in right order before pasted to the router.

Thanks
0
 
SavvisAuthor Commented:
Hi MrJemson,

It's great, everything works perfectly: Internet, limitation on vlan2.

Thank you very much
0
 
SavvisAuthor Commented:
Perfect
0
All Courses

From novice to tech pro — start learning today.