Have a Cisco 3560 switch with multiple VLAN's. Have a vendor that connects to teh Pix 505 with PPTP and gets IP from server on VLAN1. They then need to connect to a PC for RDP session on VLAN2. I am unable to get that connection working. Can ping all PC's on that VLAN but can't RDP. Is there a ACL I can add to grant this access?
If they're going through the pix, you may need to create an ACL that they'll use to allow them to the vlan 2 subnet. Otherwise, they'll only be allowed to whatever devices the acl is being applied to their vpn connection.
You could post the acl that's being applied to them and we can look at it. Also, is the pix the default gateway for the switch? Are these L3 SVIs, or do you have it configured as just a L2 switch?
Taking outside users out of the equation for the time being, I cannot RDP to anything on VLAN2 from VLAN1 as of now.
So is there anything that would be denying that access?
Are you on the same switch? Are these L3 SVIs?
Here's a couple of suggestions:
If they're L3 svis (int vlan1, int vlan2) and they have ACLs applied, then yes, that could be blocking you.
Can you RDP from a system that's in VLAN2 to the system that's in VLAN2. If not, it has something to do with the server/system that you're trying to remote into (software firewall?).
Thanks for the reply. They are L3 svis (int vlan1, int vlan2) and they do have ACL's applied to them.
I've taken my laptop and placed it in VLAN2 (10.70.0.0 network) and can RDP to the PC (10.70.0.61). When I go back to VLAN1 (10.10.0.0 network) I am then unable to remote into anything on the 10.70.0.0 network.
I'm a little confused. The ace that you posted here would only allow 10.0.0.0/24 (10.0.0.1, 10.0.0.103, etc.)
What are the actual subnets on vlan 8, and what subnet are you coming from?
Oh, and what direction are these acls applied to on the svi?
That should have been 10.10.0.0 network.
But wouldn't that be correct? I only want to allow RDP from anything on the 10.10.0.0 network to that specific host.
Right now my ip is 10.10.0.8, I'm on VLAN10. I want to RDP to 10.70.0.61 which is on VLAN8.
Yes, it would be correct, but it could change depending on the direction that your acl is applied in. Is the ACL on vlan 8 or 10 applied outbound?
Try this acl on vlan 8:
access-list 108 permit tcp 10.10.0.0 0.0.0.255 host 10.70.0.61 eq 3389
On your vlan 10:
access-list 101 permit tcp 10.10.0.0 0.0.0.255 host 10.70.0.61 eq 3389
Vlan 8 is assumed outbound. If your acl is applied inbound, you would need to switch it:
access-list 108 permit tcp host 10.7.0.61 10.10.0.0 0.0.0.255 eq 3389
Oh, and if you add the access-list line without modifying your whole list, it will add to the end of the line. That means that if something is blocking the traffic before it gets to the line that should allow it, it will stop processing the ACL and will never get to your line. When working with these acls, it's best to copy the complete acl, paste into notepad, make your changes, del the current acl, and then paste your "changed" acl back in. You can't add a line to this type of acl in the middle of the list without modifying it all.
VLAN8 is indeed outbound. We tried the ACL's you gave above but with no success.
My other tech added the lines to the ACL by giving them a number (ex 75 and then the ACL commands) so this put them at a certain spot instead of the end of the ACL.
Question I have, I thought that he would have to do a write mem command after adding these so they would be in the running config, but he is telling me that he doesn't need to. Would that command need to be run?
Numbered access lists won't let you insert lines, so you're using a named acl? I need to see the config of the SVIs on your switch. Can you post the output of both the interfaces for the vlans that you're trying to send data between?
Oh, and the changes are immediate. You don't have to write it to take effect.
Under ACL 108:
permit tcp 10.10.0.0 0.0.255.255 10.70.0.0 0.0.255.255 eq 3389
Under ACL 101:
permit tcp 10.70.0.0 0.0.255.255 10.10.0.0 0.0.255.255 eq 3389
Yes, using RDP client in Windows. Tried it so far from server (Windows 2003) and from laptop (Windows Vista). Neither will connect. Vista machine when attached to 10.70.0.0 network will connect via RDP just fine to 10.70.0.61 client machine.
What does the rest of your topology look like? Are you connected directly to this switch as well as the server connected directly to the switch? Is there a firewall in between you and the server? You should be seeing hits on the ACL. You *could* put at the top of your ACL "permit ip any any" and if that doesn't work, then something else is your problem (a device in between, another router, etc.).
I would test it like that for both sides. Instead of that try:
permit tcp any any eq 3389 log
at the top of your acl and see what your source and destination shows as in the log. I'm curious as to why you don't see any hits at all on your acl that you currently have now.
"Show log" or if you telnet into the router, you can do:
Then you can try to connect and see if your traffic is being allowed or denied. If you have a lot of traffic going through that svi and you're allowing everything, then you'll get a lot of traffic across the screen that you'll have to filter through. If you don't want to do that, it will just log to the buffer of the switch.
I tried adding the ACL that you gave me and still nothing. Do I need to set up logging on the switch in order to see the hits on the ACL?
As far as a firewall between the server and PC, I don't think so. But I've attached the IP routes that are set up on the switch. Notice the last line. It has a static route to the PIX (10.1.0.253). Does that mean that traffic from VLAN 10 to VLAN 8 are going through the PIX?
I was looking at the logs for the PIX. They are capturing all denied entries and I didn't see anything from the IP addresses that we are dealing with.
However, when I looked at the logging on the 3560 switch it shows the following lines:
list 108 permitted tcp 10.10.0.241(59186) -> 10.70.0.61(3389), 1 packet
list 108 permitted tcp 10.10.0.3(2285) -> 10.70.0.61(3389), 2 packets
So it looks like the RDP traffic is being passed through. However, do you know why it shows a different port number on the VLAN 10 side? Shouldn't that be 3389 as well?
Can you post your complete switch config? Do you have a topology? This is turning out more involved than it should've been :-)
Yes, please remove anything public including passwords, addresses. You may want to leave the first octet so I'll know the address is public-ish: