Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Block port 3389 MSTSC Cisco 3560x

Good Afternoon

I am not an expert in Cisco so i would like some help from you guys (the experts).

I need to block port 3389 in a 3560x L3 switch

my idea for this was to make an access-list:

ip access-list extended BLOCK_RDP

deny   tcp any eq 3389 105.103.28.0 0.0.0.255

When i apply this on the interface the network goes down behind the L3 switch.

When i apply also the permit ip any any in the access list i can set up remote access again, and i dont want that.

Does anyone have an idea ?

these are the interfaces it is about

interface GigabitEthernet0/3

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/4

switchport trunk encapsulation dot1q

switchport mode trunk

Thanks a lot!

2 ACCEPTED SOLUTIONS

Accepted Solutions

Block port 3389 MSTSC Cisco 3560x

Are you wanting to block this inter-vlan or within the same vlan?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Block port 3389 MSTSC Cisco 3560x

Glad to hear you got it working. You can permit that address before the deny statement to allow them through. In your example, you could do:

ip access-list ext BLOCK_RDP

1 permit tcp host 105.103.24.110 105.103.28.0 0.0.0.255 eq 3389

2 permit tcp host 105.103.24.110 host 105.103.28.33 eq 3389

The line numbers are there because by default Cisco starts with 10. To insert a line where you want, you add the number. Line 1 will allow 105.103.24.110 to access anything int the 105.103.28.0/24 subnet, and line 2 will allow the same host to access ONLY 105.103.28.33 on that subnet connecting to RDP.

When you insert lines like this, it doesn't affect the existing traffic, and you don't have to remove the acl from the interface in order to modify it. So, in my example, you can insert the lines and when you look at your access-list, you would see:

ip access-list ext BLOCK_RDP

1 permit tcp host 105.103.24.110 105.103.28.0 0.0.0.255 eq 3389

2 permit tcp host 105.103.24.110 host 105.103.28.33 eq 3389

10 deny   tcp any any eq 3389

20 permit ip any any

Make sense?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
5 REPLIES

Block port 3389 MSTSC Cisco 3560x

Are you wanting to block this inter-vlan or within the same vlan?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Block port 3389 MSTSC Cisco 3560x

at this moment i have it working,

ip access-list extended BLOCK_RDP

  deny   tcp any any eq 3389

permit ip any any

interface Vlan28

description [* ADM 1F *]

ip address 105.103.28.1 255.255.255.0

ip access-group BLOCK_RDP out

do you have an idea ?

interface Vlan28

I can't access a computer in the 105.103.28.0/24 with mstsc, but i can access from the subnet 105.103.28.0/24 to other computers/subnets.

so that problem is solved, but i have one more question, when i want to give access to someone that want's to go by rdp to the 105.103.28.0/24 network, how do i set this in the ACL ?

i am not good with the wild card mask.

For example i would like to access with ip 105.103.24.110/24 to a computer in the 105.103.28.0/24 subnet.

do you have an idea ?

Thanks

Block port 3389 MSTSC Cisco 3560x

Glad to hear you got it working. You can permit that address before the deny statement to allow them through. In your example, you could do:

ip access-list ext BLOCK_RDP

1 permit tcp host 105.103.24.110 105.103.28.0 0.0.0.255 eq 3389

2 permit tcp host 105.103.24.110 host 105.103.28.33 eq 3389

The line numbers are there because by default Cisco starts with 10. To insert a line where you want, you add the number. Line 1 will allow 105.103.24.110 to access anything int the 105.103.28.0/24 subnet, and line 2 will allow the same host to access ONLY 105.103.28.33 on that subnet connecting to RDP.

When you insert lines like this, it doesn't affect the existing traffic, and you don't have to remove the acl from the interface in order to modify it. So, in my example, you can insert the lines and when you look at your access-list, you would see:

ip access-list ext BLOCK_RDP

1 permit tcp host 105.103.24.110 105.103.28.0 0.0.0.255 eq 3389

2 permit tcp host 105.103.24.110 host 105.103.28.33 eq 3389

10 deny   tcp any any eq 3389

20 permit ip any any

Make sense?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Block port 3389 MSTSC Cisco 3560x

yes i understand.

Thank you so much for your explanation i did not know about that.

My problem is solved

Have a great day!

Block port 3389 MSTSC Cisco 3560x

You too! Thank you for the rating

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
548
Views
0
Helpful
5
Replies
CreatePlease login to create content