Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access-List Question ??????

i have a vendor connected network that needs connection to file sharing to one host and Radmin (Remote Control) access from our enterprise citrix farm. i have this access which works fine, but i would like to make it smaller Especially when it comes to the TCP/UDP port 4899 return traffic Lines (4 and 5) the retun traffic can be any port i've seen everthing from 3200 to 4400. any suggestions??? and would the established keyword help me here?

ip access-list extended GTA-TALKINGBUS

deny ip host 10.30.0.40 host 10.30.6.14

remark ^ deny access to Market ^

permit tcp 10.30.6.0 0.0.0.255 any eq 4899

permit udp 10.30.6.0 0.0.0.255 any eq 4899

permit ip host 10.30.0.40 10.30.6.0 0.0.0.255

remark ^ Radmin ^

permit icmp any any

remark ^ Ping ^

permit ip host 10.5.5.186 any

permit ip host 10.30.0.40 host 10.5.5.186

remark ^ All traffic ^

permit tcp any any eq domain

permit udp any any eq domain

remark ^ DNS ^

4 REPLIES
Hall of Fame Super Silver

Re: Access-List Question ??????

Rodney

It is not clear what platform you are using this access list on. I assume that it is a router rather than some other device. Is that correct? And I assume that the access list is being applied as an outbound list. Is that correct?

I am slightly confused about some parts of the access list and how it is to be applied. In several statements 10.30.6 seems to be the source address subnet and in some others 10.30.6 is the destination subnet. How can the same subnet be source in some statements and destination in other statements in the same access list?

The established keyword might help you with the TCP traffic but will not help at all with UDP traffic (if you really need the UDP). And established would be helpful if the connection was initiated from inside your network and responses were coming from outside. But given the way that remote administration usually works I suspect that the sessions are initiated from outside and the responses are coming from inside. In this case established is not much help.

I also wonder about port 4899. Your access list treats it as the destination port. If my guess is correct that 10.30.6 is the subnet of your citrix farm then it seems to me more logical that 4899 would be the source port than the destination port. But you probably know your environment better than I do.

Perhaps you can clarify some of the questions that I have raised and then we might get closer to answers to your questions.

HTH

Rick

New Member

Re: Access-List Question ??????

Q "It is not clear what platform you are using this access list on. I assume that it is a router rather than some other device. Is that correct? "

A - Correct this access list is being applied to a router card in a 6500.

Q "I am slightly confused about some parts of the access list and how it is to be applied. In several statements 10.30.6 seems to be the source address subnet and in some others 10.30.6 is the destination subnet. How can the same subnet be source in some statements and destination in other statements in the same access list? "

A - This access list is applied on the inside interface of the vlan that the 10.30.0.32/28 network lives; And the origanil access list only had the 10.30.6.0 /24 network as the source, so lines 2,6,and 10 where not there. but i wasn't able to restrict/allow the traffic i needed to.

Q " The established keyword might help you with the TCP traffic but will not help at all with UDP traffic (if you really need the UDP). And established would be helpful if the connection was initiated from inside your network and responses were coming from outside. But given the way that remote administration usually works I suspect that the sessions are initiated from outside and the responses are coming from inside. In this case established is not much help."

A - I figured that was the case but i thought i would give it a try.

Q " I also wonder about port 4899. Your access list treats it as the destination port. If my guess is correct that 10.30.6 is the subnet of your citrix farm then it seems to me more logical that 4899 would be the source port than the destination port. But you probably know your environment better than I do. "

A - your right on that 4899 being the destination port, i never noticed that before, it should be the source port. that could be the soruce of my problem :) i'll fix that ASAP and test it!!!

Perhaps you can clarify some of the questions that I have raised and then we might get closer to answers to your questions.

Thank Rick, i'll get back to you soon.

New Member

Re: Access-List Question ??????

Rick i tried that with out success, any more suggestions?

Hall of Fame Super Silver

Re: Access-List Question ??????

Rodney

If lines 2, 6, and 10 were added and were incorrect have you removed them or corrected them (or left them alone)?

It would be helpful if you post the current version of the access list so we can see what changes have been made. It would also be helpful to have a fresh statement of what you are trying to accomplish/what is not working as desired in the access list.

HTH

Rick

101
Views
0
Helpful
4
Replies