04-09-2009 08:01 AM - edited 03-06-2019 05:06 AM
I have a router with the following interfaces :
interface FastEthernet6/0
description <<137.55.67.0 Subnet>>
ip address 137.55.67.1 255.255.255.0
ip access-group 100 out
duplex auto
speed auto
!
interface FastEthernet6/1
description <<137.55.68.0 Subnet>>
ip address 137.55.68.1 255.255.252.0
duplex auto
speed auto
.
.
.
access-list 100 permit tcp 137.55.68.0 0.0.3.255 137.55.67.0 0.0.0.255 eq 3389
access-list 101 permit tcp 137.55.67.0 0.0.0.255 137.55.68.0 0.0.3.255 eq 3389
Note : The subnet of the interface F6/0 is a pool of non compliant PCs that we would like to restrict access in/out.
Question 1: With 100 ACL applied as the "out" at F6/0 to subnet 137.55.67.0 I can RDC from subnet with 137.55.68.0 and NOT the other way ( from 137.55.67.0 to clients in 137.55.68.0 ).
Question 2 : Even if we applied 101 ACL to the subnet as follow is also NOT helping.
interface FastEthernet6/0
description <<137.55.67.0 Subnet>>
ip address 137.55.67.1 255.255.255.0
ip access-group 100 out
ip access-group 101 in
duplex auto
speed auto
Appreciate if anyone can help. Thanks.
Regards
thong
04-09-2009 09:50 AM
add one more line to access-list 101 as below
access-list 101 permit tcp 137.55.67.0 0.0.0.255 137.55.68.0 0.0.3.255 eq 3389
access-list 101 permit tcp 137.55.67.0 0.0.0.255 eq 3389 137.55.68.0 0.0.3.255
Narayan
04-09-2009 11:11 AM
Thong
Perhaps I am not understanding some parts of your post. Your question 1 is titled as a question but it reads more like a statement. Is it a question? Or is it a statement of how things work as shown in the posted section of configuration?
As I read the original post, access list 100 will permit RDP, and only RDP, from subnet 68 to subnet 67. It will not allow any other traffic to subnet 67, and in effect will not permit any traffic originated from subnet 67.
Perhaps we need some clarification about what you are attempting to achieve and about what is working or not working. As I read your note in the post I think I understand that you want to limit access from subnet 67. And the configured access list 100 would seem to do that.
Access list 101 as written would allow subnet 67 to originate RDP but would not allow responses to RDP originated from subnet 68. So you should modify access list 101 - if you want to use it. As I read your note I am not sure that you do want to use access list 101.
If my response does not satisfy your question then perhaps you can supply some clarification about what you are trying to achieve.
HTH
Rick
04-17-2009 02:35 AM
Hi Rick,
Below is to simplyfy the issue I'm facing:
With 100 ACL applied as the "out" at F6/0 ONLY, I can RDC from subnet 137.55.68.0 to subnet 137.55.67.0
With additional 101 ACL applied as the âINâ at F6/0, RDC from subnet 137.55.68.0 to subnet 137.55.67.0 is unavailable
04-17-2009 09:12 AM
Thong
The explanation for this is part of my previous post:
Access list 101 as written would allow subnet 67 to originate RDP but would not allow responses to RDP originated from subnet 68. So you should modify access list 101
The problem is that when you use access list 101 (as written in your post) it does not permit responses from 137.55.67.0 for RDP originated from 137.55.68.0 and therefore RDP from 137.55.68.0 becomes broken. For RDP to work there must be a permit statement in the access list permitting responses from 137.55.67.0 for RDP originated from 137.55.68.0. Note that the post from Narayan suggests this and gives you the syntax for the command.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: