Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL Question

First let me draw a diagram

server---Router 2691---LAN

I need to apply access lists to this router that will allow anything inside access the server entirely, but limit the ports that the server can access such as terminal server. I created an access list with the ports that I wanted to allow in such as this: access-list 101 permit any eq 3389 log

and ended the access list with deny ip any any. When I am on the server I can use terminal server no problem, but if I try to connect to the terminal server that is on the outside server from inside it does not work. it seems to change the destination port and there for gets blocked by the acl. Is this what is happening?

access-list dmz-in denied tcp ->, 1 packe




Re: ACL Question


Do you have anything in your ACL allowing source port 3389 packets to go through? Something like this:

access-list 101 permit eq 3389 any log

It sounds to me like you need to find a way to dynamically allow return packets to your inside hosts when they generate the traffic. You can do this a few ways. Have you considered using CBAC which is part of the FW feature set? Or as another option, reflexive access-lists? CBAC will do a more complete job but will probably require an IOS upgrade to the FW feature set. If this is not possible, take a look at reflexive access-lists and see if this helps. This feature has holes (specifically with ftp and other protocols that open up dynamic return ports) but might work in a simple environment:


CreatePlease to create content