Access-List

I have vlan2 and 3 routed by a router thru a simple trunk link f0/1.  Both vlans can see  each other and browse the Internet thru f0/0 which connects to ISP's router.
To limit access of vlan3 to vlan2,  I create an access-list:

access-list 112 deny ip 192.168.3.0 0.0.0.225 192.168.2.0 0.0.0.255
access-list 112 permit tcp any any established
access-list 112 permit icmp any any echo-reply
access-list 112 deny icmp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

It works exactly how I want:  vlan2 can ping and access vlan3 but not in reverse.

But a problem comes up:
Vlan3 is no loger able to browse the Internet, Vlan2 is OK.

Please help me what to do.  This is my router configuration:

version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
enable password cisco
!
ip subnet-zero
!
call rsvp-sync
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat outside
 duplex auto
 speed 100
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 no ip address
 speed 100
 full-duplex
!
interface FastEthernet0/1.1
 description vlan 2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
!
interface FastEthernet0/1.2
 description vlan 3
 encapsulation dot1Q 3
 ip address 192.168.3.1 255.255.255.0
 ip access-group 112 in
 ip nat inside
!
ip nat pool lab 192.168.1.18 192.168.1.18 netmask 255.255.255.0
ip nat inside source list 10 pool lab overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
no ip http server
!
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 10 permit 192.168.3.0 0.0.0.255
access-list 112 deny   ip 192.168.3.0 0.0.0.225 192.168.2.0 0.0.0.255
access-list 112 permit tcp any any established
access-list 112 permit icmp any any echo-reply
access-list 112 deny   icmp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
end



Thank you
SavvisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

saba11Commented:
Hi, There is an implicit deny statement at the end of every access list therefore you will need to allow VLAN 3 to have access to everything else.

I would group my deny statements first and then have a permit IP any any at the end.

Or

Permit IP 192.168.3.0 0.0.0.255 any.
0
pschakravarthiCommented:
Hi
If problem persist, send traceroute details of any internet site (like google.com) from vlan 3
0
SavvisAuthor Commented:
Hi Sabat11

I already tried those 2 statements, the Internet browsing works but now vlan3 can access vlan2,  that's
not the way I want.

Thanks
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

MrJemsonCommented:
Order in access lists is important!

An access list will pass from top to bottom and will stop at the first matching statement.

Place your access list in this order and it should work:

access-list 112 permit tcp any any established
access-list 112 permit icmp any any echo-reply
access-list 112 deny   ip 192.168.3.0 0.0.0.225 192.168.2.0 0.0.0.255
access-list 112 deny   icmp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 112 permit ip 192.168.3.0 0.0.0.255 any

Please let me know what happens if this does not solve your problem.
0
saba11Commented:
Hi, As I mentioned in my previous post you will need to order your access list so that more specific matches are done at the beginning and a blanket statement is left right at the end, You can't add to your existing access list as it won't fall in the right place that is the sequence number. You will need to remove the existing and modify them in a notepad in the correct order and paste them back in and it should work.

Thanks
0
SavvisAuthor Commented:
Hi MrJemson,
I copy and paste the access-list in that order.
The results:  
                 
vlan3 can browe the Internet
                  vlan3 cannot ping vlan2
                  vlan3 is able to access vlan3 (i.e mapping a drive)
0
SavvisAuthor Commented:
Mr MrJemson,

Sorry I hit a wrong button.  
Everything OK but the problem is now vlan3 can access vlan2 ( that's is what I try not to)

Thanks
 
0
MrJemsonCommented:
So is this working correctly?

vlan3 can browe the Internet
                  vlan3 cannot ping vlan2
                  vlan3 is able to access vlan3 (i.e mapping a drive)
0
SavvisAuthor Commented:
Hi Sabat11,

Yes I did exactly what you mentioned:
First I removed the access-list, then carfully wri mem
Then created an access-list on notepad in right order before pasted to the router.

Thanks
0
MrJemsonCommented:
There is a typo in the original list with the subnet mask!

This: access-list 112 deny   ip 192.168.3.0 0.0.0.225 192.168.2.0 0.0.0.255
Should be this: access-list 112 deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

-----

Here is the correct List:

access-list 112 permit tcp any any established
access-list 112 permit icmp any any echo-reply
access-list 112 deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 112 deny   icmp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 112 permit ip 192.168.3.0 0.0.0.255 any

I believe this access-list will solve your problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SavvisAuthor Commented:
Hi MrJemson,

It's great, everything works perfectly: Internet, limitation on vlan2.

Thank you very much
0
SavvisAuthor Commented:
Perfect
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.