Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
422
Views
0
Helpful
4
Replies

Access-List Question ??????

Rodney-roberts
Level 1
Level 1

‎01-02-2007 01:00 PM - edited ‎02-20-2020 09:38 PM

i have a vendor connected network that needs connection to file sharing to one host and Radmin (Remote Control) access from our enterprise citrix farm. i have this access which works fine, but i would like to make it smaller Especially when it comes to the TCP/UDP port 4899 return traffic Lines (4 and 5) the retun traffic can be any port i've seen everthing from 3200 to 4400. any suggestions??? and would the established keyword help me here?

ip access-list extended GTA-TALKINGBUS

deny ip host 10.30.0.40 host 10.30.6.14

remark ^ deny access to Market ^

permit tcp 10.30.6.0 0.0.0.255 any eq 4899

permit udp 10.30.6.0 0.0.0.255 any eq 4899

permit ip host 10.30.0.40 10.30.6.0 0.0.0.255

remark ^ Radmin ^

permit icmp any any

remark ^ Ping ^

permit ip host 10.5.5.186 any

permit ip host 10.30.0.40 host 10.5.5.186

remark ^ All traffic ^

permit tcp any any eq domain

permit udp any any eq domain

remark ^ DNS ^

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎01-02-2007 02:13 PM

Rodney

It is not clear what platform you are using this access list on. I assume that it is a router rather than some other device. Is that correct? And I assume that the access list is being applied as an outbound list. Is that correct?

I am slightly confused about some parts of the access list and how it is to be applied. In several statements 10.30.6 seems to be the source address subnet and in some others 10.30.6 is the destination subnet. How can the same subnet be source in some statements and destination in other statements in the same access list?

The established keyword might help you with the TCP traffic but will not help at all with UDP traffic (if you really need the UDP). And established would be helpful if the connection was initiated from inside your network and responses were coming from outside. But given the way that remote administration usually works I suspect that the sessions are initiated from outside and the responses are coming from inside. In this case established is not much help.

I also wonder about port 4899. Your access list treats it as the destination port. If my guess is correct that 10.30.6 is the subnet of your citrix farm then it seems to me more logical that 4899 would be the source port than the destination port. But you probably know your environment better than I do.

Perhaps you can clarify some of the questions that I have raised and then we might get closer to answers to your questions.

HTH

Rick

HTH

Rick
0 Helpful

Rodney-roberts
Level 1
Level 1
In response to Richard Burts

‎01-02-2007 02:32 PM

Q "It is not clear what platform you are using this access list on. I assume that it is a router rather than some other device. Is that correct? "

A - Correct this access list is being applied to a router card in a 6500.

Q "I am slightly confused about some parts of the access list and how it is to be applied. In several statements 10.30.6 seems to be the source address subnet and in some others 10.30.6 is the destination subnet. How can the same subnet be source in some statements and destination in other statements in the same access list? "

A - This access list is applied on the inside interface of the vlan that the 10.30.0.32/28 network lives; And the origanil access list only had the 10.30.6.0 /24 network as the source, so lines 2,6,and 10 where not there. but i wasn't able to restrict/allow the traffic i needed to.

Q " The established keyword might help you with the TCP traffic but will not help at all with UDP traffic (if you really need the UDP). And established would be helpful if the connection was initiated from inside your network and responses were coming from outside. But given the way that remote administration usually works I suspect that the sessions are initiated from outside and the responses are coming from inside. In this case established is not much help."

A - I figured that was the case but i thought i would give it a try.

Q " I also wonder about port 4899. Your access list treats it as the destination port. If my guess is correct that 10.30.6 is the subnet of your citrix farm then it seems to me more logical that 4899 would be the source port than the destination port. But you probably know your environment better than I do. "

A - your right on that 4899 being the destination port, i never noticed that before, it should be the source port. that could be the soruce of my problem :) i'll fix that ASAP and test it!!!

Perhaps you can clarify some of the questions that I have raised and then we might get closer to answers to your questions.

Thank Rick, i'll get back to you soon.

0 Helpful

Rodney-roberts
Level 1
Level 1
In response to Rodney-roberts

‎01-02-2007 02:42 PM

Rick i tried that with out success, any more suggestions?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Rodney-roberts

‎01-03-2007 08:00 AM

Rodney

If lines 2, 6, and 10 were added and were incorrect have you removed them or corrected them (or left them alone)?

It would be helpful if you post the current version of the access list so we can see what changes have been made. It would also be helpful to have a fresh statement of what you are trying to accomplish/what is not working as desired in the access list.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents