cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1212
Views
0
Helpful
44
Replies

VLAN question

sonitadmin
Level 1
Level 1

Have a Cisco 3560 switch with multiple VLAN's. Have a vendor that connects to teh Pix 505 with PPTP and gets IP from server on VLAN1. They then need to connect to a PC for RDP session on VLAN2. I am unable to get that connection working. Can ping all PC's on that VLAN but can't RDP. Is there a ACL I can add to grant this access?

44 Replies 44

John Blakley
VIP Alumni
VIP Alumni

If they're going through the pix, you may need to create an ACL that they'll use to allow them to the vlan 2 subnet. Otherwise, they'll only be allowed to whatever devices the acl is being applied to their vpn connection.

You could post the acl that's being applied to them and we can look at it. Also, is the pix the default gateway for the switch? Are these L3 SVIs, or do you have it configured as just a L2 switch?

HTH,

John

HTH, John *** Please rate all useful posts ***

Taking outside users out of the equation for the time being, I cannot RDP to anything on VLAN2 from VLAN1 as of now.

So is there anything that would be denying that access?

Are you on the same switch? Are these L3 SVIs?

Here's a couple of suggestions:

If they're L3 svis (int vlan1, int vlan2) and they have ACLs applied, then yes, that could be blocking you.

Can you RDP from a system that's in VLAN2 to the system that's in VLAN2. If not, it has something to do with the server/system that you're trying to remote into (software firewall?).

HTH,

John

HTH, John *** Please rate all useful posts ***

John,

Thanks for the reply. They are L3 svis (int vlan1, int vlan2) and they do have ACL's applied to them.

I've taken my laptop and placed it in VLAN2 (10.70.0.0 network) and can RDP to the PC (10.70.0.61). When I go back to VLAN1 (10.10.0.0 network) I am then unable to remote into anything on the 10.70.0.0 network.

Okay. Can you post the ACL config for VLAN1 and 2?

HTH, John *** Please rate all useful posts ***

OK, the actual VLAN names are 10 and 8 not 1 and 2. I am trying to connect from VLAN10 to VLAN8. The commands that we have tried are not in this list.

I tried adding a command on VLAN8 that read:

permit tcp 10.0.0.0 0.0.0.255 host 10.70.0.61 eq 3389

I'm a little confused. The ace that you posted here would only allow 10.0.0.0/24 (10.0.0.1, 10.0.0.103, etc.)

What are the actual subnets on vlan 8, and what subnet are you coming from?

Oh, and what direction are these acls applied to on the svi?

John

HTH, John *** Please rate all useful posts ***

That should have been 10.10.0.0 network.

But wouldn't that be correct? I only want to allow RDP from anything on the 10.10.0.0 network to that specific host.

Right now my ip is 10.10.0.8, I'm on VLAN10. I want to RDP to 10.70.0.61 which is on VLAN8.

Yes, it would be correct, but it could change depending on the direction that your acl is applied in. Is the ACL on vlan 8 or 10 applied outbound?

Try this acl on vlan 8:

access-list 108 permit tcp 10.10.0.0 0.0.0.255 host 10.70.0.61 eq 3389

On your vlan 10:

access-list 101 permit tcp 10.10.0.0 0.0.0.255 host 10.70.0.61 eq 3389

Vlan 8 is assumed outbound. If your acl is applied inbound, you would need to switch it:

access-list 108 permit tcp host 10.7.0.61 10.10.0.0 0.0.0.255 eq 3389

Oh, and if you add the access-list line without modifying your whole list, it will add to the end of the line. That means that if something is blocking the traffic before it gets to the line that should allow it, it will stop processing the ACL and will never get to your line. When working with these acls, it's best to copy the complete acl, paste into notepad, make your changes, del the current acl, and then paste your "changed" acl back in. You can't add a line to this type of acl in the middle of the list without modifying it all.

HTH,

John

HTH, John *** Please rate all useful posts ***

VLAN8 is indeed outbound. We tried the ACL's you gave above but with no success.

My other tech added the lines to the ACL by giving them a number (ex 75 and then the ACL commands) so this put them at a certain spot instead of the end of the ACL.

Question I have, I thought that he would have to do a write mem command after adding these so they would be in the running config, but he is telling me that he doesn't need to. Would that command need to be run?

Thanks!

Numbered access lists won't let you insert lines, so you're using a named acl? I need to see the config of the SVIs on your switch. Can you post the output of both the interfaces for the vlans that you're trying to send data between?

Oh, and the changes are immediate. You don't have to write it to take effect.

John

HTH, John *** Please rate all useful posts ***

John,

Here is what I have for the two VLAN interfaces.

Thanks for all your help!

Try this:

Under ACL 108:

permit tcp 10.10.0.0 0.0.255.255 10.70.0.0 0.0.255.255 eq 3389

Under ACL 101:

permit tcp 10.70.0.0 0.0.255.255 10.10.0.0 0.0.255.255 eq 3389

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: