I need to apply access lists to this router that will allow anything inside access the server entirely, but limit the ports that the server can access such as terminal server. I created an access list with the ports that I wanted to allow in such as this: access-list 101 permit 10.69.69.0 0.0.0.255 any eq 3389 log
and ended the access list with deny ip any any. When I am on the server I can use terminal server no problem, but if I try to connect to the terminal server that is on the outside server from inside it does not work. it seems to change the destination port and there for gets blocked by the acl. Is this what is happening?
Do you have anything in your ACL allowing source port 3389 packets to go through? Something like this:
access-list 101 permit 10.69.69.0 0.0.0.255 eq 3389 any log
It sounds to me like you need to find a way to dynamically allow return packets to your inside hosts when they generate the traffic. You can do this a few ways. Have you considered using CBAC which is part of the FW feature set? Or as another option, reflexive access-lists? CBAC will do a more complete job but will probably require an IOS upgrade to the FW feature set. If this is not possible, take a look at reflexive access-lists and see if this helps. This feature has holes (specifically with ftp and other protocols that open up dynamic return ports) but might work in a simple environment:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :