Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to control network traffic using ASA if IP in same subnet segment

Dear Cisco Experts,

I have got a problem to control the rules/traffic at the inside Firewall device. I have 2 unit workstation which the IP is PC-A is 10.1.0.101, 255.225.0.0 and PC-B are 10.1.1.125, 255.255.0.0. 

This two PC is located inside port of the firewall. I want to disable the Remote Desktop Protocol, (tcp/3389) between this PC using the firewall rules.

I already perform created access rules at inside FW to deny the RDP service but unsuccessful.  

My question is may I control/disable the RDP service if the IP subnet segment is same? 

Or I need to perform separate VLAN for this to able control/disable the RDP service?

Appreciated if can help me on this.

Thanks

Hanif Saharudin

  • Firewalling
4 REPLIES
Hall of Fame Super Blue

Hanif

Hanif

There is a way to firewall traffic within the same IP subnet but your firewall needs to be in transparent mode. However I am not suggesting you do this as I suspect you have other interfaces on your ASA in use and your ASA is in routed mode.

In which case no you cannot use the firewall as far as I know because traffic is never sent to the firewall ie. the traffic goes direct between clients in the same subnet.

Which means you could use another vlan although this would mean readdressing etc. or alternatively your switch may be able to filter traffic within the same vlan depending on the model. Bear in mind this is not stateful firewalling just basic acl filtering.

So what switch model are you using ?

Jon

New Member

Dear Jon,

Dear Jon,

Thanks for your comments.

Now used L3 switch, 3750 series.

Can configure something at L3 switch to block the RDP service?

Thanks,

Hanif Saharudin

Hall of Fame Super Blue

You cannot configure anything

You cannot configure anything at L3 because the traffic is not routed, so you need to be able ot filter traffic within a vlan which is supported on the 3750.

See this link but bear in mind this is not stateful -

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_58_se/configuration/guide/3750scg/swacl.html#58493http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_58_se/configuration/guide/3750scg/swacl.html#58493

Jon

New Member

Dear Jon,

Dear Jon,

Thanks for the links.

I'll go through this documents and try to perform filter at L3 within VLAN.

Will update later if successful.

Thanks for your time.

Regards,

Hanif

5
Views
0
Helpful
4
Replies
This widget could not be displayed.