cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1211
Views
0
Helpful
44
Replies

VLAN question

sonitadmin
Level 1
Level 1

Have a Cisco 3560 switch with multiple VLAN's. Have a vendor that connects to teh Pix 505 with PPTP and gets IP from server on VLAN1. They then need to connect to a PC for RDP session on VLAN2. I am unable to get that connection working. Can ping all PC's on that VLAN but can't RDP. Is there a ACL I can add to grant this access?

44 Replies 44

Still no go.

Here are what the VLAN configs look like now after adding the lines you gave me.

Are you using MS Remote Desktop client? I don't see any hits on the acl at all.

John

HTH, John *** Please rate all useful posts ***

Yes, using RDP client in Windows. Tried it so far from server (Windows 2003) and from laptop (Windows Vista). Neither will connect. Vista machine when attached to 10.70.0.0 network will connect via RDP just fine to 10.70.0.61 client machine.

What does the rest of your topology look like? Are you connected directly to this switch as well as the server connected directly to the switch? Is there a firewall in between you and the server? You should be seeing hits on the ACL. You *could* put at the top of your ACL "permit ip any any" and if that doesn't work, then something else is your problem (a device in between, another router, etc.).

John

HTH, John *** Please rate all useful posts ***

If we put that permit ip any any in the ACL would that need to be in both VLAN8 and VLAN10 ACL's?

I'll post more on the topology shortly.

I would test it like that for both sides. Instead of that try:

permit tcp any any eq 3389 log

at the top of your acl and see what your source and destination shows as in the log. I'm curious as to why you don't see any hits at all on your acl that you currently have now.

HTH, John *** Please rate all useful posts ***

Stupid question but how will I view that log?

"Show log" or if you telnet into the router, you can do:

term mon

Then you can try to connect and see if your traffic is being allowed or denied. If you have a lot of traffic going through that svi and you're allowing everything, then you'll get a lot of traffic across the screen that you'll have to filter through. If you don't want to do that, it will just log to the buffer of the switch.

HTH,

John

HTH, John *** Please rate all useful posts ***

I tried adding the ACL that you gave me and still nothing. Do I need to set up logging on the switch in order to see the hits on the ACL?

As far as a firewall between the server and PC, I don't think so. But I've attached the IP routes that are set up on the switch. Notice the last line. It has a static route to the PIX (10.1.0.253). Does that mean that traffic from VLAN 10 to VLAN 8 are going through the PIX?

I was looking at the logs for the PIX. They are capturing all denied entries and I didn't see anything from the IP addresses that we are dealing with.

However, when I looked at the logging on the 3560 switch it shows the following lines:

list 108 permitted tcp 10.10.0.241(59186) -> 10.70.0.61(3389), 1 packet

list 108 permitted tcp 10.10.0.3(2285) -> 10.70.0.61(3389), 2 packets

So it looks like the RDP traffic is being passed through. However, do you know why it shows a different port number on the VLAN 10 side? Shouldn't that be 3389 as well?

Can you post your complete switch config? Do you have a topology? This is turning out more involved than it should've been :-)

John

HTH, John *** Please rate all useful posts ***

Yes, here is the config. I don't have a topology, sorry!

Yes, please remove anything public including passwords, addresses. You may want to leave the first octet so I'll know the address is public-ish:

99.x.x.x x.x.x.x

John

HTH, John *** Please rate all useful posts ***

Sorry, forgot to attach.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: