# Cisco ACLs and Dual LAN



## deadroad503 (Aug 29, 2009)

I'm running 2 LANs off a Cisco 1751 over a comcast cable internet connection and have dhcp for my public address. I have everything working great at this point but having trouble with my acls (never been good with them). I cant figure out how to restrict Lan-Lan access. I dont want them talking. How do I do this? heres my current config (passwords removed of course ) protected is my private network and unprotected is my customer network. i fix computers and last thing i need is to fix mine due a network virus.



```
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PC_Repair
!
boot-start-marker
boot-end-marker
!
enable secret 5 [email protected]#$%
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.0 192.168.0.99
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool Protected_Pool
   network 192.168.0.0 255.255.255.0
   dns-server 192.168.0.1 
   default-router 192.168.0.1 
   lease 7
!
ip dhcp pool Unprotected_Pool
   network 192.168.1.0 255.255.255.0
   dns-server 192.168.1.1 
   default-router 192.168.1.1 
   lease 7
!
!
ip cef
ip name-server 4.2.2.1
ip name-server 4.2.2.6
!
!
interface Ethernet0/0
 description "Unprotected"
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 full-duplex 
 no shutdown
!
interface Ethernet1/0
 description "Protected"
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 full-duplex
 no shutdown
!
 interface FastEthernet0/0
 description "Internet"
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 speed auto
 full-duplex
 no shutdown
!
router rip
 version 2
 passive-interface FastEthernet0/0
 network 192.168.0.0
 network 192.168.1.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
ip dns server
!
no logging trap
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.0.255
snmp-server community public RO
!
!
control-plane
!
!
line con 0
 password [email protected]#$%
 login
line aux 0
line vty 0 15
 no login
!
end
```


----------



## Suncoast (Jul 28, 2009)

I don't know how you got any communications going between e0 and e1 with nat inside going on both interfaces. Interesting. Using an extended list will give you the option to tweak this list with port specific permit/deny statements. 

```
conf t
no access-list 110
no access-list 111
access-list 110 deny ip any 192.168.1.0 0.0.0.255
access-list 110 deny icmp any 192.168.1.0 0.0.0.255
access-list 110 deny tcp any any range 135 139
access-list 110 permit ip any any 

access-list 111 deny ip any 192.168.0.0 0.0.0.255
access-list 111 deny icmp any 192.168.0.0 0.0.0.255
access-list 111 deny tcp any any range 135 139
access-list 111 permit ip any any 

int e0/0 
ip access-group 110 in
int e1/0 
ip access-group 111 in
```
access-list 111 deny tcp any any range 135 139
This line blocks all Netbios and Windows File Sharing. If you need domain or windows p2p services over these lan ports, remove these lines.


----------

