Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VLAN question

Have a Cisco 3560 switch with multiple VLAN's. Have a vendor that connects to teh Pix 505 with PPTP and gets IP from server on VLAN1. They then need to connect to a PC for RDP session on VLAN2. I am unable to get that connection working. Can ping all PC's on that VLAN but can't RDP. Is there a ACL I can add to grant this access?

44 REPLIES

Re: VLAN question

If they're going through the pix, you may need to create an ACL that they'll use to allow them to the vlan 2 subnet. Otherwise, they'll only be allowed to whatever devices the acl is being applied to their vpn connection.

You could post the acl that's being applied to them and we can look at it. Also, is the pix the default gateway for the switch? Are these L3 SVIs, or do you have it configured as just a L2 switch?

HTH,

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: VLAN question

Taking outside users out of the equation for the time being, I cannot RDP to anything on VLAN2 from VLAN1 as of now.

So is there anything that would be denying that access?

Re: VLAN question

Are you on the same switch? Are these L3 SVIs?

Here's a couple of suggestions:

If they're L3 svis (int vlan1, int vlan2) and they have ACLs applied, then yes, that could be blocking you.

Can you RDP from a system that's in VLAN2 to the system that's in VLAN2. If not, it has something to do with the server/system that you're trying to remote into (software firewall?).

HTH,

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: VLAN question

John,

Thanks for the reply. They are L3 svis (int vlan1, int vlan2) and they do have ACL's applied to them.

I've taken my laptop and placed it in VLAN2 (10.70.0.0 network) and can RDP to the PC (10.70.0.61). When I go back to VLAN1 (10.10.0.0 network) I am then unable to remote into anything on the 10.70.0.0 network.

Re: VLAN question

Okay. Can you post the ACL config for VLAN1 and 2?

HTH, John *** Please rate all useful posts ***
Community Member

Re: VLAN question

OK, the actual VLAN names are 10 and 8 not 1 and 2. I am trying to connect from VLAN10 to VLAN8. The commands that we have tried are not in this list.

Community Member

Re: VLAN question

I tried adding a command on VLAN8 that read:

permit tcp 10.0.0.0 0.0.0.255 host 10.70.0.61 eq 3389

Re: VLAN question

I'm a little confused. The ace that you posted here would only allow 10.0.0.0/24 (10.0.0.1, 10.0.0.103, etc.)

What are the actual subnets on vlan 8, and what subnet are you coming from?

Oh, and what direction are these acls applied to on the svi?

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: VLAN question

That should have been 10.10.0.0 network.

But wouldn't that be correct? I only want to allow RDP from anything on the 10.10.0.0 network to that specific host.

Right now my ip is 10.10.0.8, I'm on VLAN10. I want to RDP to 10.70.0.61 which is on VLAN8.

Re: VLAN question

Yes, it would be correct, but it could change depending on the direction that your acl is applied in. Is the ACL on vlan 8 or 10 applied outbound?

Try this acl on vlan 8:

access-list 108 permit tcp 10.10.0.0 0.0.0.255 host 10.70.0.61 eq 3389

On your vlan 10:

access-list 101 permit tcp 10.10.0.0 0.0.0.255 host 10.70.0.61 eq 3389

Vlan 8 is assumed outbound. If your acl is applied inbound, you would need to switch it:

access-list 108 permit tcp host 10.7.0.61 10.10.0.0 0.0.0.255 eq 3389

Oh, and if you add the access-list line without modifying your whole list, it will add to the end of the line. That means that if something is blocking the traffic before it gets to the line that should allow it, it will stop processing the ACL and will never get to your line. When working with these acls, it's best to copy the complete acl, paste into notepad, make your changes, del the current acl, and then paste your "changed" acl back in. You can't add a line to this type of acl in the middle of the list without modifying it all.

HTH,

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: VLAN question

VLAN8 is indeed outbound. We tried the ACL's you gave above but with no success.

My other tech added the lines to the ACL by giving them a number (ex 75 and then the ACL commands) so this put them at a certain spot instead of the end of the ACL.

Question I have, I thought that he would have to do a write mem command after adding these so they would be in the running config, but he is telling me that he doesn't need to. Would that command need to be run?

Thanks!

Re: VLAN question

Numbered access lists won't let you insert lines, so you're using a named acl? I need to see the config of the SVIs on your switch. Can you post the output of both the interfaces for the vlans that you're trying to send data between?

Oh, and the changes are immediate. You don't have to write it to take effect.

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: VLAN question

John,

Here is what I have for the two VLAN interfaces.

Thanks for all your help!

Re: VLAN question

Try this:

Under ACL 108:

permit tcp 10.10.0.0 0.0.255.255 10.70.0.0 0.0.255.255 eq 3389

Under ACL 101:

permit tcp 10.70.0.0 0.0.255.255 10.10.0.0 0.0.255.255 eq 3389

HTH, John *** Please rate all useful posts ***
Community Member

Re: VLAN question

Still no go.

Community Member

Re: VLAN question

Here are what the VLAN configs look like now after adding the lines you gave me.

Re: VLAN question

Are you using MS Remote Desktop client? I don't see any hits on the acl at all.

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: VLAN question

Yes, using RDP client in Windows. Tried it so far from server (Windows 2003) and from laptop (Windows Vista). Neither will connect. Vista machine when attached to 10.70.0.0 network will connect via RDP just fine to 10.70.0.61 client machine.

Re: VLAN question

What does the rest of your topology look like? Are you connected directly to this switch as well as the server connected directly to the switch? Is there a firewall in between you and the server? You should be seeing hits on the ACL. You *could* put at the top of your ACL "permit ip any any" and if that doesn't work, then something else is your problem (a device in between, another router, etc.).

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: VLAN question

If we put that permit ip any any in the ACL would that need to be in both VLAN8 and VLAN10 ACL's?

I'll post more on the topology shortly.

Re: VLAN question

I would test it like that for both sides. Instead of that try:

permit tcp any any eq 3389 log

at the top of your acl and see what your source and destination shows as in the log. I'm curious as to why you don't see any hits at all on your acl that you currently have now.

HTH, John *** Please rate all useful posts ***
Community Member

Re: VLAN question

Stupid question but how will I view that log?

Re: VLAN question

"Show log" or if you telnet into the router, you can do:

term mon

Then you can try to connect and see if your traffic is being allowed or denied. If you have a lot of traffic going through that svi and you're allowing everything, then you'll get a lot of traffic across the screen that you'll have to filter through. If you don't want to do that, it will just log to the buffer of the switch.

HTH,

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: VLAN question

I tried adding the ACL that you gave me and still nothing. Do I need to set up logging on the switch in order to see the hits on the ACL?

As far as a firewall between the server and PC, I don't think so. But I've attached the IP routes that are set up on the switch. Notice the last line. It has a static route to the PIX (10.1.0.253). Does that mean that traffic from VLAN 10 to VLAN 8 are going through the PIX?

Community Member

Re: VLAN question

I was looking at the logs for the PIX. They are capturing all denied entries and I didn't see anything from the IP addresses that we are dealing with.

However, when I looked at the logging on the 3560 switch it shows the following lines:

list 108 permitted tcp 10.10.0.241(59186) -> 10.70.0.61(3389), 1 packet

list 108 permitted tcp 10.10.0.3(2285) -> 10.70.0.61(3389), 2 packets

So it looks like the RDP traffic is being passed through. However, do you know why it shows a different port number on the VLAN 10 side? Shouldn't that be 3389 as well?

Re: VLAN question

Can you post your complete switch config? Do you have a topology? This is turning out more involved than it should've been :-)

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: VLAN question

Yes, here is the config. I don't have a topology, sorry!

Re: VLAN question

Yes, please remove anything public including passwords, addresses. You may want to leave the first octet so I'll know the address is public-ish:

99.x.x.x x.x.x.x

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: VLAN question

Sorry, forgot to attach.

203
Views
0
Helpful
44
Replies
CreatePlease to create content