Cisco ACL Deny Access

Hi, I have a Cisco 1941 router. It has 4 ports, 1 public interface (eth0/1) and a few switch interface (eth0/1/0 - eth0/1/2). I am trying to ACL deny to restrict the access from eth0/1/2 (172.16.0.0) to eth0/1/1 (192.168.0.0). But we allow access from eth0/1/1 to eth0/1/2. But deny ACL looks like doesn't work. Anything wrong in my config?

interface GigabitEthernet0/1
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 11.22.33.44 255.255.255.240
 ip access-group 108 in
 no ip redirects
 no ip unreachables
 ip flow ingress
 ip nat outside
 ip inspect CCP_LOW out
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1/1
 switchport access vlan 100
 no ip address
!
interface GigabitEthernet0/1/2
 switchport access vlan 200
 no ip address
!
interface Vlan100
 description $INSIDE$
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 service-policy input block
!
interface Vlan200
 description $DMZ$
 ip address 172.16.0.254 255.255.255.0
 ip access-group 154 out
 ip nat inside
 ip virtual-reassembly in
 service-policy input block
!
access-list 154 remark Vlan200 Outbound
access-list 154 deny   ip any 192.168.0.0 0.0.0.255
access-list 154 permit ip any any
LVL 1
David_zuAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
Your direction is wrong.

The direction of the ACL is relative to the SVI (VLAN interface). So in your example, you're saying that when traffic exits the VLAN 200 interface (going to VLAN 200), the ACL is supposed to deny the traffic if it is going to 192.168.0.0.  But VLAN 200 only has 172.16.0.0 addresses. So it doesn't match and the permit any any matches.

If you don't want VLAN200 to communicate with VLAN100 (using your existing ACL), you would do either:

int vlan 100
 ip access-group 154 out 
access-list 154 deny ip any 192.168.0.0 0.0.0.255
access-list 154 permit ip any any 

Open in new window

or
int vlan 200
 ip access-group 154 in
access-list 154 deny ip any 192.168.0.0 0.0.0.255
access-list 154 permit ip any any 

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SanjeevlokeCommented:
Agreed with Don.
0
David_zuAuthor Commented:
I tried it. But result is I am not able to access vlan200 from vlan100.

int vlan 200
 ip access-group 154 in
access-list 154 deny ip any 192.168.0.0 0.0.0.255
access-list 154 permit ip any any
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Don JohnstonInstructorCommented:
You original post said:

restrict the access from eth0/1/2 (172.16.0.0) to eth0/1/1 (192.168.0.0).

now you're saying that you want them to communicate.

Which is it?
0
David_zuAuthor Commented:
Correct, I want to restrict the access from eth0/1/2 (172.16.0.0) to eth0/1/1 (192.168.0.0), but allow access from eth0/1/1 (192.168.0.0) to eth0/1/2 (172.16.0.0). It means I will allow one way access only.
0
Don JohnstonInstructorCommented:
Considering that 99% of all traffic is bi-directional,  that makes it a bit more work.  You're going to have to provide more detail on the traffic.
0
David_zuAuthor Commented:
The vlan200 is DMZ network. Requirements are:

1) Allow Internet access from vlan200 (permit all access from vlan200 to GE0/1)
2) Deny any access from vlan200 to vlan100
3) Allow all access from vlan100 to vlan200
4) Allow NAT port 443 access from public IP (GE0/1) to vlan200 ip 172.16.0.20
5) Allow Internet access from vlan100 (permit all access from vlan100 to GE0/1)
0
David_zuAuthor Commented:
Shared points by every one. Thank you for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.