03-17-2009 11:27 AM - edited 03-06-2019 04:39 AM
Have a Cisco 3560 switch with multiple VLAN's. Have a vendor that connects to teh Pix 505 with PPTP and gets IP from server on VLAN1. They then need to connect to a PC for RDP session on VLAN2. I am unable to get that connection working. Can ping all PC's on that VLAN but can't RDP. Is there a ACL I can add to grant this access?
03-17-2009 11:49 AM
If they're going through the pix, you may need to create an ACL that they'll use to allow them to the vlan 2 subnet. Otherwise, they'll only be allowed to whatever devices the acl is being applied to their vpn connection.
You could post the acl that's being applied to them and we can look at it. Also, is the pix the default gateway for the switch? Are these L3 SVIs, or do you have it configured as just a L2 switch?
HTH,
John
03-17-2009 11:59 AM
Taking outside users out of the equation for the time being, I cannot RDP to anything on VLAN2 from VLAN1 as of now.
So is there anything that would be denying that access?
03-17-2009 12:04 PM
Are you on the same switch? Are these L3 SVIs?
Here's a couple of suggestions:
If they're L3 svis (int vlan1, int vlan2) and they have ACLs applied, then yes, that could be blocking you.
Can you RDP from a system that's in VLAN2 to the system that's in VLAN2. If not, it has something to do with the server/system that you're trying to remote into (software firewall?).
HTH,
John
03-17-2009 12:10 PM
John,
Thanks for the reply. They are L3 svis (int vlan1, int vlan2) and they do have ACL's applied to them.
I've taken my laptop and placed it in VLAN2 (10.70.0.0 network) and can RDP to the PC (10.70.0.61). When I go back to VLAN1 (10.10.0.0 network) I am then unable to remote into anything on the 10.70.0.0 network.
03-17-2009 12:12 PM
Okay. Can you post the ACL config for VLAN1 and 2?
03-17-2009 12:23 PM
03-17-2009 12:29 PM
I tried adding a command on VLAN8 that read:
permit tcp 10.0.0.0 0.0.0.255 host 10.70.0.61 eq 3389
03-17-2009 12:54 PM
I'm a little confused. The ace that you posted here would only allow 10.0.0.0/24 (10.0.0.1, 10.0.0.103, etc.)
What are the actual subnets on vlan 8, and what subnet are you coming from?
Oh, and what direction are these acls applied to on the svi?
John
03-17-2009 01:18 PM
That should have been 10.10.0.0 network.
But wouldn't that be correct? I only want to allow RDP from anything on the 10.10.0.0 network to that specific host.
Right now my ip is 10.10.0.8, I'm on VLAN10. I want to RDP to 10.70.0.61 which is on VLAN8.
03-17-2009 01:27 PM
Yes, it would be correct, but it could change depending on the direction that your acl is applied in. Is the ACL on vlan 8 or 10 applied outbound?
Try this acl on vlan 8:
access-list 108 permit tcp 10.10.0.0 0.0.0.255 host 10.70.0.61 eq 3389
On your vlan 10:
access-list 101 permit tcp 10.10.0.0 0.0.0.255 host 10.70.0.61 eq 3389
Vlan 8 is assumed outbound. If your acl is applied inbound, you would need to switch it:
access-list 108 permit tcp host 10.7.0.61 10.10.0.0 0.0.0.255 eq 3389
Oh, and if you add the access-list line without modifying your whole list, it will add to the end of the line. That means that if something is blocking the traffic before it gets to the line that should allow it, it will stop processing the ACL and will never get to your line. When working with these acls, it's best to copy the complete acl, paste into notepad, make your changes, del the current acl, and then paste your "changed" acl back in. You can't add a line to this type of acl in the middle of the list without modifying it all.
HTH,
John
03-18-2009 06:33 AM
VLAN8 is indeed outbound. We tried the ACL's you gave above but with no success.
My other tech added the lines to the ACL by giving them a number (ex 75 and then the ACL commands) so this put them at a certain spot instead of the end of the ACL.
Question I have, I thought that he would have to do a write mem command after adding these so they would be in the running config, but he is telling me that he doesn't need to. Would that command need to be run?
Thanks!
03-18-2009 06:41 AM
Numbered access lists won't let you insert lines, so you're using a named acl? I need to see the config of the SVIs on your switch. Can you post the output of both the interfaces for the vlans that you're trying to send data between?
Oh, and the changes are immediate. You don't have to write it to take effect.
John
03-18-2009 07:06 AM
03-18-2009 07:16 AM
Try this:
Under ACL 108:
permit tcp 10.10.0.0 0.0.255.255 10.70.0.0 0.0.255.255 eq 3389
Under ACL 101:
permit tcp 10.70.0.0 0.0.255.255 10.10.0.0 0.0.255.255 eq 3389
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: