ACL with RDC port TCP/3389

thonghawkyen · ‎04-08-2009

I have a router with the following interfaces :

interface FastEthernet6/0

description <<137.55.67.0 Subnet>>

ip address 137.55.67.1 255.255.255.0

ip access-group 100 out

duplex auto

speed auto

!

interface FastEthernet6/1

description <<137.55.68.0 Subnet>>

ip address 137.55.68.1 255.255.252.0

duplex auto

speed auto

.

access-list 100 permit tcp 137.55.68.0 0.0.3.255 137.55.67.0 0.0.0.255 eq 3389

access-list 101 permit tcp 137.55.67.0 0.0.0.255 137.55.68.0 0.0.3.255 eq 3389

Note : The subnet of the interface F6/0 is a pool of non compliant PCs that we would like to restrict access in/out.

Question 1: With 100 ACL applied as the "out" at F6/0 to subnet 137.55.67.0 I can RDC from subnet with 137.55.68.0 and NOT the other way ( from 137.55.67.0 to clients in 137.55.68.0 ).

Question 2 : Even if we applied 101 ACL to the subnet as follow is also NOT helping.

interface FastEthernet6/0

description <<137.55.67.0 Subnet>>

ip address 137.55.67.1 255.255.255.0

ip access-group 100 out

ip access-group 101 in

duplex auto

speed auto

Appreciate if anyone can help. Thanks.

Regards

thong

Jon Marshall · ‎04-08-2009

Thong

If you want to be able to RDP both ways then you need to modify your acl 100. You could use the established keyword or you could write as follows

access-list 100 permit tcp 137.55.68.0 0.0.3.255 137.55.67.0 0.0.0.255 eq 3389

access-list 100 permit tcp 137.55.68.0 0.0.3.255 eq 3389 137.55.67.0 0.0.0.255

Jon

thonghawkyen · ‎04-09-2009

Dear John,

I could not find this post of mine and thought i could hv logged off before hitting the "post" button last night.

I didn't know that i hv posted to the wrong category until i receive an email from this forum.

I hv just again posted the same question in under "Getting started with LAN" .

Anyway i will try your suggestion tomorrow to see if it works.

Thanks.