ACL with RDC port TCP/3389

Unanswered Question
Apr 8th, 2009
User Badges:

I have a router with the following interfaces :

interface FastEthernet6/0

description <<137.55.67.0 Subnet>>

ip address 137.55.67.1 255.255.255.0

ip access-group 100 out

duplex auto

speed auto

!

interface FastEthernet6/1

description <<137.55.68.0 Subnet>>

ip address 137.55.68.1 255.255.252.0

duplex auto

speed auto

.

.

.

access-list 100 permit tcp 137.55.68.0 0.0.3.255 137.55.67.0 0.0.0.255 eq 3389


access-list 101 permit tcp 137.55.67.0 0.0.0.255 137.55.68.0 0.0.3.255 eq 3389


Note : The subnet of the interface F6/0 is a pool of non compliant PCs that we would like to restrict access in/out.


Question 1: With 100 ACL applied as the "out" at F6/0 to subnet 137.55.67.0 I can RDC from subnet with 137.55.68.0 and NOT the other way ( from 137.55.67.0 to clients in 137.55.68.0 ).


Question 2 : Even if we applied 101 ACL to the subnet as follow is also NOT helping.

interface FastEthernet6/0

description <<137.55.67.0 Subnet>>

ip address 137.55.67.1 255.255.255.0

ip access-group 100 out

ip access-group 101 in

duplex auto

speed auto


Appreciate if anyone can help. Thanks.


Regards

thong

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 04/08/2009 - 11:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Thong


If you want to be able to RDP both ways then you need to modify your acl 100. You could use the established keyword or you could write as follows


access-list 100 permit tcp 137.55.68.0 0.0.3.255 137.55.67.0 0.0.0.255 eq 3389

access-list 100 permit tcp 137.55.68.0 0.0.3.255 eq 3389 137.55.67.0 0.0.0.255


Jon

thonghawkyen Thu, 04/09/2009 - 08:12
User Badges:

Dear John,


I could not find this post of mine and thought i could hv logged off before hitting the "post" button last night.


I didn't know that i hv posted to the wrong category until i receive an email from this forum.


I hv just again posted the same question in under "Getting started with LAN" .


Anyway i will try your suggestion tomorrow to see if it works.


Thanks.

Actions

This Discussion