Solved

How to open port 3389 on cisco 3560 ?

Posted on 2009-03-30
8
1,666 Views
Last Modified: 2012-06-27
Hello,

I'm starting to lose my mind on this one.
I have cisco L3 switch 3560, and I'm trying to apply some access-maps on Vlan 100, some sort of DMZ.
I don't understand how this works so I'll give the example what works whit me and what doesn't. I'll kindly ask You to explain me what am I doing wrong and where is the catch ?
I want to enable only RDP from one host to another ,192.168.2.77 to 192.168.1.2 , and vice-versa.
This is the access-map what is applied on VLAN 100 with vlan filter command:

Vlan access-map "dmz"  10
  Match clauses:
    ip  address: server
  Action:
    forward
Vlan access-map "crm"  20
  Match clauses:
    ip  address: all
  Action:
    drop

Access lists :
SERVER
10 permit tcp host 192.168.1.2 eq 3389 host 192.168.2.77
20 permit tcp host 192.168.1.2 host 192.168.2.77 eq 3389
30 permit tcp host 192.168.2.77 eq 3389 host 192.168.1.2
40 permit tcp host 192.168.2.77 host 192.168.1.2 eq 3389
ALL
10 permit ip any any

OK, so this combination works. Why do I have to putt  statement for source port and also destination port?
Also why is not working just in one way, for example RDP only from server 192.168.1.2 to 192.168.2.77.

10 permit tcp host 192.168.1.2 eq 3389 host 192.168.2.77
20 permit tcp host 192.168.1.2 host 192.168.2.77 eq 3389

With this kind of command I would have to be able to remote connect (RDP) only from 192.168.1.2 to 192.168.2.77, but NOT vice-versa, isn't that right ? That's not working.
What am I doing wrong ?

Thanks in advance!

Regards ,
eLeL

 
0
Comment
Question by:EXOR-ZG
  • 4
  • 4
8 Comments
 
LVL 7

Expert Comment

by:egyptco
Comment Utility
OK, so this combination works. Why do I have to putt  statement for source port and also destination port?

basically your switch can't inspect the traffic statefully and access-map understands no direction. so you need to specify the return traffic either and that's why you need source and destination address.

your access-map "crm" allows everything and makes all other traffic filtering irrelevant

0
 
LVL 7

Expert Comment

by:egyptco
Comment Utility
oh... it is action drop. it doesn't allows everything but drop it. why so you need this "crm" at all?
0
 

Author Comment

by:EXOR-ZG
Comment Utility
hi,

I'm testing access-map to filter specific traffic for specific VLAN because we will put server in that VLAN and let other firm work only on that server. So we want to allow only RDP, DC authentication, and maybe some other ports that I forgot. So I was wondering why is that not working like I thought it will work. I'm CCNA, but we worked only on router ACLs, so this access-maps are new to me:-)

Do you have some advices on opening ports for LDAP authentication ?

tnx,
eLeL
0
 
LVL 7

Accepted Solution

by:
egyptco earned 150 total points
Comment Utility
hi,

I've never used vacl to filter traffic you might find a good example here:
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808122ac.shtml

it seems it is like the good old acls but with the differents that VACLs are not defined by direction (ingress or egress). so i guess you should pay attention to define the return traffic as well thats why you need to specify source and destination ports if you're playing to restrictive. so back with the example with RDP in order to allow session from server 192.168.1.2 to 192.168.2.77 you need those lines:
permit tcp host 192.168.1.2 host 192.168.2.77 eq 3389  <-initiating rdp
permit tcp host 192.168.2.77 eq 3389 host 192.168.1.2  <-return traffic

it shouldn't work in the opposite direction (rdp from 192.168.2.77 to 192.168.1.2) but i'm not sure. as i said never used that. let me know if my theory is right:)

i have neither experience with ldap. but it seems you should open 389/tcp for ldap:// sessions and port 636/tcp for ldaps://) sessions
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:EXOR-ZG
Comment Utility

Thnx for your effort in helping me on this problem. That hint about vlan maps not knowing direction cleared some questions that I had.
I'll let you know if your suggestion worked , for one way.

I'll give you 100 points , maybe somebody else have something to say on our conversation.
 

0
 

Author Comment

by:EXOR-ZG
Comment Utility
Correction, i can't do that with points :-), i'll wait for some time, and if no posts, all points to you.

O&O
0
 
LVL 7

Expert Comment

by:egyptco
Comment Utility
no pro.. instead of giving me points i'll be glad if you only  post some resaults of your tests. i have no test l3 switch to play with vacls;)
0
 

Author Comment

by:EXOR-ZG
Comment Utility
Hi,

I finally catch some time to test your suggestion and it works fine.  
Like I already said, you cleared me whole thing with ''not knowing direction''.

tnx.
Bye
eLeL
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now