01-02-2007 01:00 PM - edited 02-20-2020 09:38 PM
i have a vendor connected network that needs connection to file sharing to one host and Radmin (Remote Control) access from our enterprise citrix farm. i have this access which works fine, but i would like to make it smaller Especially when it comes to the TCP/UDP port 4899 return traffic Lines (4 and 5) the retun traffic can be any port i've seen everthing from 3200 to 4400. any suggestions??? and would the established keyword help me here?
ip access-list extended GTA-TALKINGBUS
deny ip host 10.30.0.40 host 10.30.6.14
remark ^ deny access to Market ^
permit tcp 10.30.6.0 0.0.0.255 any eq 4899
permit udp 10.30.6.0 0.0.0.255 any eq 4899
permit ip host 10.30.0.40 10.30.6.0 0.0.0.255
remark ^ Radmin ^
permit icmp any any
remark ^ Ping ^
permit ip host 10.5.5.186 any
permit ip host 10.30.0.40 host 10.5.5.186
remark ^ All traffic ^
permit tcp any any eq domain
permit udp any any eq domain
remark ^ DNS ^
01-02-2007 02:13 PM
Rodney
It is not clear what platform you are using this access list on. I assume that it is a router rather than some other device. Is that correct? And I assume that the access list is being applied as an outbound list. Is that correct?
I am slightly confused about some parts of the access list and how it is to be applied. In several statements 10.30.6 seems to be the source address subnet and in some others 10.30.6 is the destination subnet. How can the same subnet be source in some statements and destination in other statements in the same access list?
The established keyword might help you with the TCP traffic but will not help at all with UDP traffic (if you really need the UDP). And established would be helpful if the connection was initiated from inside your network and responses were coming from outside. But given the way that remote administration usually works I suspect that the sessions are initiated from outside and the responses are coming from inside. In this case established is not much help.
I also wonder about port 4899. Your access list treats it as the destination port. If my guess is correct that 10.30.6 is the subnet of your citrix farm then it seems to me more logical that 4899 would be the source port than the destination port. But you probably know your environment better than I do.
Perhaps you can clarify some of the questions that I have raised and then we might get closer to answers to your questions.
HTH
Rick
01-02-2007 02:32 PM
Q "It is not clear what platform you are using this access list on. I assume that it is a router rather than some other device. Is that correct? "
A - Correct this access list is being applied to a router card in a 6500.
Q "I am slightly confused about some parts of the access list and how it is to be applied. In several statements 10.30.6 seems to be the source address subnet and in some others 10.30.6 is the destination subnet. How can the same subnet be source in some statements and destination in other statements in the same access list? "
A - This access list is applied on the inside interface of the vlan that the 10.30.0.32/28 network lives; And the origanil access list only had the 10.30.6.0 /24 network as the source, so lines 2,6,and 10 where not there. but i wasn't able to restrict/allow the traffic i needed to.
Q " The established keyword might help you with the TCP traffic but will not help at all with UDP traffic (if you really need the UDP). And established would be helpful if the connection was initiated from inside your network and responses were coming from outside. But given the way that remote administration usually works I suspect that the sessions are initiated from outside and the responses are coming from inside. In this case established is not much help."
A - I figured that was the case but i thought i would give it a try.
Q " I also wonder about port 4899. Your access list treats it as the destination port. If my guess is correct that 10.30.6 is the subnet of your citrix farm then it seems to me more logical that 4899 would be the source port than the destination port. But you probably know your environment better than I do. "
A - your right on that 4899 being the destination port, i never noticed that before, it should be the source port. that could be the soruce of my problem :) i'll fix that ASAP and test it!!!
Perhaps you can clarify some of the questions that I have raised and then we might get closer to answers to your questions.
Thank Rick, i'll get back to you soon.
01-02-2007 02:42 PM
Rick i tried that with out success, any more suggestions?
01-03-2007 08:00 AM
Rodney
If lines 2, 6, and 10 were added and were incorrect have you removed them or corrected them (or left them alone)?
It would be helpful if you post the current version of the access list so we can see what changes have been made. It would also be helpful to have a fresh statement of what you are trying to accomplish/what is not working as desired in the access list.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: