Mulitple subnets on one Int, need to block communicationsbetween them but allow access to internet

Discussion in 'Cisco' started by mcpaytas, Feb 21, 2007.

  1. mcpaytas

    mcpaytas Guest

    On a 2600 Router. I have multiple subnets on a single interface and
    want to keep the 192.168.10.0 subnet from talking to the others. But I
    need it to be able to access the internet. This is what I have come up
    with. Can you guys shoot holes in it and tell me if it is correct or
    what I am doing wrong. Thanks!

    interface Ethernet0/0
    ip access-group 101 in
    ip access-group 102 out


    interface Ethernet0/0 (inside)
    In
    access-list 101 permit 192.168.1.0 0.0.0.255
    access-list 101 permit 192.168.2.0 0.0.0.255
    access-list 101 permit 10.0.0.0 0.0.0.255
    access-list 101 permit 192.168.10.0 0.0.0.255

    Out
    access-list 102 deny 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 102 deny 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 102 deny 192.168.10.0 0.0.0.255 10.0.0.0 0.0.0.255
     
    mcpaytas, Feb 21, 2007
    #1

    1. Advertisements

  2. mcpaytas

    headsetadapter.com Guest

    First of all, the access-list should have a statement, which PERMITS certain
    traffic. There is an explicit "DENY ALL" at the end of any access-list (even
    though it's not shown). So, your "Out" access-list blocks certain subnets,
    and then it has a remaining world (basically it does not allow anything).

    Second, how do you configure multiple subnets on the interface? Do you have
    primary and secondary IP addresses configured? Do you have broad subnet mask
    (i.e. supernet)? If all your subnets are in one "flat" Layer 2 network, then
    what prevents user to put a broad subnetmask and access other subnets?

    Practically, if you have switch(es), you should define VLANs for different
    subnets, create a trunk to your 2600 router, and create subinterfaces for
    each VLAN. However, based on the fact that you show interface name Ethernet
    versus FastEthernet, you may have an old 2600 router with 10 Mbit interface,
    and this scenario may not work for you.

    Good luck,

    Mike
     
    headsetadapter.com, Feb 21, 2007
    #2

    1. Advertisements

  3. mcpaytas

    mcpaytas Guest

    Ok. I unfortunately don't have any switches capable of creating
    vlan's. That most certainly would be the way to go.
    Is there any way to block communications between subnets using just a
    2600 router? Thanks!
     
    mcpaytas, Feb 22, 2007
    #3
  4. mcpaytas

    Rod Dorman Guest

    Sure if they're on different interfaces of the router.
     
    Rod Dorman, Feb 22, 2007
    #4

    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads

  1. How do I let people access the internet via an access point but not allow them access to my network

  2. 2 subnets, one router, one PIX ?

  3. Mulitple 6509's

  4. mulitple port mapping to same internal address

  5. PIX 506 VPN allow access only to specific subnets based on username

  6. Extract Files, But unable to access or delete them.

  7. Allow internet connectivity but prevent network access

  8. How do I allow internet access but not network access over a route

Loading...