ACL with RDC port TCP/3389

thonghawkyen · ‎04-09-2009

I have a router with the following interfaces :

interface FastEthernet6/0

description <<137.55.67.0 Subnet>>

ip address 137.55.67.1 255.255.255.0

ip access-group 100 out

duplex auto

speed auto

!

interface FastEthernet6/1

description <<137.55.68.0 Subnet>>

ip address 137.55.68.1 255.255.252.0

duplex auto

speed auto

.

access-list 100 permit tcp 137.55.68.0 0.0.3.255 137.55.67.0 0.0.0.255 eq 3389

access-list 101 permit tcp 137.55.67.0 0.0.0.255 137.55.68.0 0.0.3.255 eq 3389

Note : The subnet of the interface F6/0 is a pool of non compliant PCs that we would like to restrict access in/out.

Question 1: With 100 ACL applied as the "out" at F6/0 to subnet 137.55.67.0 I can RDC from subnet with 137.55.68.0 and NOT the other way ( from 137.55.67.0 to clients in 137.55.68.0 ).

Question 2 : Even if we applied 101 ACL to the subnet as follow is also NOT helping.

interface FastEthernet6/0

description <<137.55.67.0 Subnet>>

ip address 137.55.67.1 255.255.255.0

ip access-group 100 out

ip access-group 101 in

duplex auto

speed auto

Appreciate if anyone can help. Thanks.

Regards

thong

royalblues · ‎04-09-2009

add one more line to access-list 101 as below

access-list 101 permit tcp 137.55.67.0 0.0.0.255 137.55.68.0 0.0.3.255 eq 3389

access-list 101 permit tcp 137.55.67.0 0.0.0.255 eq 3389 137.55.68.0 0.0.3.255

Narayan

Richard Burts · ‎04-09-2009

Thong

Perhaps I am not understanding some parts of your post. Your question 1 is titled as a question but it reads more like a statement. Is it a question? Or is it a statement of how things work as shown in the posted section of configuration?

As I read the original post, access list 100 will permit RDP, and only RDP, from subnet 68 to subnet 67. It will not allow any other traffic to subnet 67, and in effect will not permit any traffic originated from subnet 67.

Perhaps we need some clarification about what you are attempting to achieve and about what is working or not working. As I read your note in the post I think I understand that you want to limit access from subnet 67. And the configured access list 100 would seem to do that.

Access list 101 as written would allow subnet 67 to originate RDP but would not allow responses to RDP originated from subnet 68. So you should modify access list 101 - if you want to use it. As I read your note I am not sure that you do want to use access list 101.

If my response does not satisfy your question then perhaps you can supply some clarification about what you are trying to achieve.

HTH

Rick

HTH

Rick

thonghawkyen · ‎04-17-2009

Hi Rick,

Below is to simplyfy the issue I'm facing:

With 100 ACL applied as the "out" at F6/0 ONLY, I can RDC from subnet 137.55.68.0 to subnet 137.55.67.0

With additional 101 ACL applied as the â€œINâ€ at F6/0, RDC from subnet 137.55.68.0 to subnet 137.55.67.0 is unavailable

Richard Burts · ‎04-17-2009

Thong

The explanation for this is part of my previous post:

Access list 101 as written would allow subnet 67 to originate RDP but would not allow responses to RDP originated from subnet 68. So you should modify access list 101

The problem is that when you use access list 101 (as written in your post) it does not permit responses from 137.55.67.0 for RDP originated from 137.55.68.0 and therefore RDP from 137.55.68.0 becomes broken. For RDP to work there must be a permit statement in the access list permitting responses from 137.55.67.0 for RDP originated from 137.55.68.0. Note that the post from Narayan suggests this and gives you the syntax for the command.

HTH

Rick

HTH

Rick