Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

A problem configuring an ACL

Hello Everybody

I´m trying to create an access list to control the remote-desk access through the 2289 port.
We have two VLANs,server VLAN-73 and user VLAN-16


We need to deny the remote desktop access to everybody that is in the user vlan except these two exceptions;

1) We will permit the access to everyboy in the user vlan only to these 3 servers   (192.168.1.23,192.168.1.25,192.168.1.37)

2)We will permit the remote access to all of our servers only to this 2 hosts (172.16.21.92 and 172.16.21.93)

So I configured the acls in this way,but I can´t do it properlly because It seems like everybody in the user vlan continues accessing to all of the servers.


access-list 101 permit tcp host 172.16.21.92 any eq 3389
access-list 101 permit tcp host 172.16.21.93 any eq 3389


access-list 101 permit tcp any host 192.168.1.23 eq 3389
access-list 101 permit tcp any host 192.168.1.25 eq 3389
access-list 101 permit tcp any host 192.168.1.37 eq 3389


access-list 101 deny tcp any any eq 3389
access-list 101 permit tcp any any


interface vlan 73
ip access-group 101 in

Could anybody help me please?
Thank you and Regards!

IIB

3 REPLIES
Purple

A problem configuring an ACL

Hi,

you should apply your ACL outbound on vlan 73 or inbound on vlan 16 but not inbound on vlan 73 because  frames entering this vlan interface will never have a source IP in vlan 16 subnet nor will they initiate the rdp session so their so their destination port won't be 3389 and consequently you'll hit your last line of the ACL which permits tcp any any so replies to remote desktop sessions initiated from vlan 16 subnet.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Community Member

A problem configuring an ACL

Hi

Thank you for your response Alain,I tried to configure the ACL outbound,but when I do it the server vlan falls down.

interface vlan 73

ip access-group 101 out

Maybe my mistake is configuring it in the server vlan interface (73) instead of configuring it in the users vlan interface (16)

Purple

A problem configuring an ACL

Hi,

apply it inbound on vlan 16 interface

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
156
Views
6
Helpful
3
Replies
CreatePlease to create content