Solved

How to open port 3389 on cisco 3560 ?

Posted on 2009-03-30
8
1,738 Views
Last Modified: 2012-06-27
Hello,

I'm starting to lose my mind on this one.
I have cisco L3 switch 3560, and I'm trying to apply some access-maps on Vlan 100, some sort of DMZ.
I don't understand how this works so I'll give the example what works whit me and what doesn't. I'll kindly ask You to explain me what am I doing wrong and where is the catch ?
I want to enable only RDP from one host to another ,192.168.2.77 to 192.168.1.2 , and vice-versa.
This is the access-map what is applied on VLAN 100 with vlan filter command:

Vlan access-map "dmz"  10
  Match clauses:
    ip  address: server
  Action:
    forward
Vlan access-map "crm"  20
  Match clauses:
    ip  address: all
  Action:
    drop

Access lists :
SERVER
10 permit tcp host 192.168.1.2 eq 3389 host 192.168.2.77
20 permit tcp host 192.168.1.2 host 192.168.2.77 eq 3389
30 permit tcp host 192.168.2.77 eq 3389 host 192.168.1.2
40 permit tcp host 192.168.2.77 host 192.168.1.2 eq 3389
ALL
10 permit ip any any

OK, so this combination works. Why do I have to putt  statement for source port and also destination port?
Also why is not working just in one way, for example RDP only from server 192.168.1.2 to 192.168.2.77.

10 permit tcp host 192.168.1.2 eq 3389 host 192.168.2.77
20 permit tcp host 192.168.1.2 host 192.168.2.77 eq 3389

With this kind of command I would have to be able to remote connect (RDP) only from 192.168.1.2 to 192.168.2.77, but NOT vice-versa, isn't that right ? That's not working.
What am I doing wrong ?

Thanks in advance!

Regards ,
eLeL

 
0
Comment
Question by:EXOR-ZG
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 7

Expert Comment

by:egyptco
ID: 24017665
OK, so this combination works. Why do I have to putt  statement for source port and also destination port?

basically your switch can't inspect the traffic statefully and access-map understands no direction. so you need to specify the return traffic either and that's why you need source and destination address.

your access-map "crm" allows everything and makes all other traffic filtering irrelevant

0
 
LVL 7

Expert Comment

by:egyptco
ID: 24017678
oh... it is action drop. it doesn't allows everything but drop it. why so you need this "crm" at all?
0
 

Author Comment

by:EXOR-ZG
ID: 24018209
hi,

I'm testing access-map to filter specific traffic for specific VLAN because we will put server in that VLAN and let other firm work only on that server. So we want to allow only RDP, DC authentication, and maybe some other ports that I forgot. So I was wondering why is that not working like I thought it will work. I'm CCNA, but we worked only on router ACLs, so this access-maps are new to me:-)

Do you have some advices on opening ports for LDAP authentication ?

tnx,
eLeL
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 7

Accepted Solution

by:
egyptco earned 150 total points
ID: 24018985
hi,

I've never used vacl to filter traffic you might find a good example here:
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808122ac.shtml

it seems it is like the good old acls but with the differents that VACLs are not defined by direction (ingress or egress). so i guess you should pay attention to define the return traffic as well thats why you need to specify source and destination ports if you're playing to restrictive. so back with the example with RDP in order to allow session from server 192.168.1.2 to 192.168.2.77 you need those lines:
permit tcp host 192.168.1.2 host 192.168.2.77 eq 3389  <-initiating rdp
permit tcp host 192.168.2.77 eq 3389 host 192.168.1.2  <-return traffic

it shouldn't work in the opposite direction (rdp from 192.168.2.77 to 192.168.1.2) but i'm not sure. as i said never used that. let me know if my theory is right:)

i have neither experience with ldap. but it seems you should open 389/tcp for ldap:// sessions and port 636/tcp for ldaps://) sessions
0
 

Author Comment

by:EXOR-ZG
ID: 24019167

Thnx for your effort in helping me on this problem. That hint about vlan maps not knowing direction cleared some questions that I had.
I'll let you know if your suggestion worked , for one way.

I'll give you 100 points , maybe somebody else have something to say on our conversation.
 

0
 

Author Comment

by:EXOR-ZG
ID: 24019209
Correction, i can't do that with points :-), i'll wait for some time, and if no posts, all points to you.

O&O
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24019744
no pro.. instead of giving me points i'll be glad if you only  post some resaults of your tests. i have no test l3 switch to play with vacls;)
0
 

Author Comment

by:EXOR-ZG
ID: 24047902
Hi,

I finally catch some time to test your suggestion and it works fine.  
Like I already said, you cleared me whole thing with ''not knowing direction''.

tnx.
Bye
eLeL
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PowerShell and cisco ios 3 69
Cisco Anyconnect on MS Surface 12 50
VHDx Hyper V bad performance different locations 9 56
Cisco Nexus 9372 port channel 3 45
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question