ACL with RDC port TCP/3389

Unanswered Question
Apr 9th, 2009
User Badges:

I have a router with the following interfaces :

interface FastEthernet6/0

description <<137.55.67.0 Subnet>>

ip address 137.55.67.1 255.255.255.0

ip access-group 100 out

duplex auto

speed auto

!

interface FastEthernet6/1

description <<137.55.68.0 Subnet>>

ip address 137.55.68.1 255.255.252.0

duplex auto

speed auto

.

.

.

access-list 100 permit tcp 137.55.68.0 0.0.3.255 137.55.67.0 0.0.0.255 eq 3389


access-list 101 permit tcp 137.55.67.0 0.0.0.255 137.55.68.0 0.0.3.255 eq 3389


Note : The subnet of the interface F6/0 is a pool of non compliant PCs that we would like to restrict access in/out.


Question 1: With 100 ACL applied as the "out" at F6/0 to subnet 137.55.67.0 I can RDC from subnet with 137.55.68.0 and NOT the other way ( from 137.55.67.0 to clients in 137.55.68.0 ).


Question 2 : Even if we applied 101 ACL to the subnet as follow is also NOT helping.

interface FastEthernet6/0

description <<137.55.67.0 Subnet>>

ip address 137.55.67.1 255.255.255.0

ip access-group 100 out

ip access-group 101 in

duplex auto

speed auto


Appreciate if anyone can help. Thanks.


Regards

thong


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
royalblues Thu, 04/09/2009 - 09:50
User Badges:
  • Green, 3000 points or more

add one more line to access-list 101 as below


access-list 101 permit tcp 137.55.67.0 0.0.0.255 137.55.68.0 0.0.3.255 eq 3389

access-list 101 permit tcp 137.55.67.0 0.0.0.255 eq 3389 137.55.68.0 0.0.3.255


Narayan

Richard Burts Thu, 04/09/2009 - 11:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Thong


Perhaps I am not understanding some parts of your post. Your question 1 is titled as a question but it reads more like a statement. Is it a question? Or is it a statement of how things work as shown in the posted section of configuration?


As I read the original post, access list 100 will permit RDP, and only RDP, from subnet 68 to subnet 67. It will not allow any other traffic to subnet 67, and in effect will not permit any traffic originated from subnet 67.


Perhaps we need some clarification about what you are attempting to achieve and about what is working or not working. As I read your note in the post I think I understand that you want to limit access from subnet 67. And the configured access list 100 would seem to do that.


Access list 101 as written would allow subnet 67 to originate RDP but would not allow responses to RDP originated from subnet 68. So you should modify access list 101 - if you want to use it. As I read your note I am not sure that you do want to use access list 101.


If my response does not satisfy your question then perhaps you can supply some clarification about what you are trying to achieve.


HTH


Rick

thonghawkyen Fri, 04/17/2009 - 02:35
User Badges:

Hi Rick,


Below is to simplyfy the issue I'm facing:


With 100 ACL applied as the "out" at F6/0 ONLY, I can RDC from subnet 137.55.68.0 to subnet 137.55.67.0


With additional 101 ACL applied as the “IN” at F6/0, RDC from subnet 137.55.68.0 to subnet 137.55.67.0 is unavailable

Richard Burts Fri, 04/17/2009 - 09:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Thong


The explanation for this is part of my previous post:

Access list 101 as written would allow subnet 67 to originate RDP but would not allow responses to RDP originated from subnet 68. So you should modify access list 101


The problem is that when you use access list 101 (as written in your post) it does not permit responses from 137.55.67.0 for RDP originated from 137.55.68.0 and therefore RDP from 137.55.68.0 becomes broken. For RDP to work there must be a permit statement in the access list permitting responses from 137.55.67.0 for RDP originated from 137.55.68.0. Note that the post from Narayan suggests this and gives you the syntax for the command.


HTH


Rick

Actions

This Discussion