cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
340
Views
6
Helpful
3
Replies

A problem configuring an ACL

noc_soc69
Level 1
Level 1

Hello Everybody

I´m trying to create an access list to control the remote-desk access through the 2289 port.
We have two VLANs,server VLAN-73 and user VLAN-16


We need to deny the remote desktop access to everybody that is in the user vlan except these two exceptions;

1) We will permit the access to everyboy in the user vlan only to these 3 servers   (192.168.1.23,192.168.1.25,192.168.1.37)

2)We will permit the remote access to all of our servers only to this 2 hosts (172.16.21.92 and 172.16.21.93)

So I configured the acls in this way,but I can´t do it properlly because It seems like everybody in the user vlan continues accessing to all of the servers.


access-list 101 permit tcp host 172.16.21.92 any eq 3389
access-list 101 permit tcp host 172.16.21.93 any eq 3389


access-list 101 permit tcp any host 192.168.1.23 eq 3389
access-list 101 permit tcp any host 192.168.1.25 eq 3389
access-list 101 permit tcp any host 192.168.1.37 eq 3389


access-list 101 deny tcp any any eq 3389
access-list 101 permit tcp any any


interface vlan 73
ip access-group 101 in

Could anybody help me please?
Thank you and Regards!

IIB

3 Replies 3

cadet alain
VIP Alumni
VIP Alumni

Hi,

you should apply your ACL outbound on vlan 73 or inbound on vlan 16 but not inbound on vlan 73 because  frames entering this vlan interface will never have a source IP in vlan 16 subnet nor will they initiate the rdp session so their so their destination port won't be 3389 and consequently you'll hit your last line of the ACL which permits tcp any any so replies to remote desktop sessions initiated from vlan 16 subnet.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi

Thank you for your response Alain,I tried to configure the ACL outbound,but when I do it the server vlan falls down.

interface vlan 73

ip access-group 101 out

Maybe my mistake is configuring it in the server vlan interface (73) instead of configuring it in the users vlan interface (16)

Hi,

apply it inbound on vlan 16 interface

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco