• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1810
  • Last Modified:

How to open port 3389 on cisco 3560 ?

Hello,

I'm starting to lose my mind on this one.
I have cisco L3 switch 3560, and I'm trying to apply some access-maps on Vlan 100, some sort of DMZ.
I don't understand how this works so I'll give the example what works whit me and what doesn't. I'll kindly ask You to explain me what am I doing wrong and where is the catch ?
I want to enable only RDP from one host to another ,192.168.2.77 to 192.168.1.2 , and vice-versa.
This is the access-map what is applied on VLAN 100 with vlan filter command:

Vlan access-map "dmz"  10
  Match clauses:
    ip  address: server
  Action:
    forward
Vlan access-map "crm"  20
  Match clauses:
    ip  address: all
  Action:
    drop

Access lists :
SERVER
10 permit tcp host 192.168.1.2 eq 3389 host 192.168.2.77
20 permit tcp host 192.168.1.2 host 192.168.2.77 eq 3389
30 permit tcp host 192.168.2.77 eq 3389 host 192.168.1.2
40 permit tcp host 192.168.2.77 host 192.168.1.2 eq 3389
ALL
10 permit ip any any

OK, so this combination works. Why do I have to putt  statement for source port and also destination port?
Also why is not working just in one way, for example RDP only from server 192.168.1.2 to 192.168.2.77.

10 permit tcp host 192.168.1.2 eq 3389 host 192.168.2.77
20 permit tcp host 192.168.1.2 host 192.168.2.77 eq 3389

With this kind of command I would have to be able to remote connect (RDP) only from 192.168.1.2 to 192.168.2.77, but NOT vice-versa, isn't that right ? That's not working.
What am I doing wrong ?

Thanks in advance!

Regards ,
eLeL

 
0
EXOR-ZG
Asked:
EXOR-ZG
  • 4
  • 4
1 Solution
 
egyptcoCommented:
OK, so this combination works. Why do I have to putt  statement for source port and also destination port?

basically your switch can't inspect the traffic statefully and access-map understands no direction. so you need to specify the return traffic either and that's why you need source and destination address.

your access-map "crm" allows everything and makes all other traffic filtering irrelevant

0
 
egyptcoCommented:
oh... it is action drop. it doesn't allows everything but drop it. why so you need this "crm" at all?
0
 
EXOR-ZGAuthor Commented:
hi,

I'm testing access-map to filter specific traffic for specific VLAN because we will put server in that VLAN and let other firm work only on that server. So we want to allow only RDP, DC authentication, and maybe some other ports that I forgot. So I was wondering why is that not working like I thought it will work. I'm CCNA, but we worked only on router ACLs, so this access-maps are new to me:-)

Do you have some advices on opening ports for LDAP authentication ?

tnx,
eLeL
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
egyptcoCommented:
hi,

I've never used vacl to filter traffic you might find a good example here:
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808122ac.shtml

it seems it is like the good old acls but with the differents that VACLs are not defined by direction (ingress or egress). so i guess you should pay attention to define the return traffic as well thats why you need to specify source and destination ports if you're playing to restrictive. so back with the example with RDP in order to allow session from server 192.168.1.2 to 192.168.2.77 you need those lines:
permit tcp host 192.168.1.2 host 192.168.2.77 eq 3389  <-initiating rdp
permit tcp host 192.168.2.77 eq 3389 host 192.168.1.2  <-return traffic

it shouldn't work in the opposite direction (rdp from 192.168.2.77 to 192.168.1.2) but i'm not sure. as i said never used that. let me know if my theory is right:)

i have neither experience with ldap. but it seems you should open 389/tcp for ldap:// sessions and port 636/tcp for ldaps://) sessions
0
 
EXOR-ZGAuthor Commented:

Thnx for your effort in helping me on this problem. That hint about vlan maps not knowing direction cleared some questions that I had.
I'll let you know if your suggestion worked , for one way.

I'll give you 100 points , maybe somebody else have something to say on our conversation.
 

0
 
EXOR-ZGAuthor Commented:
Correction, i can't do that with points :-), i'll wait for some time, and if no posts, all points to you.

O&O
0
 
egyptcoCommented:
no pro.. instead of giving me points i'll be glad if you only  post some resaults of your tests. i have no test l3 switch to play with vacls;)
0
 
EXOR-ZGAuthor Commented:
Hi,

I finally catch some time to test your suggestion and it works fine.  
Like I already said, you cleared me whole thing with ''not knowing direction''.

tnx.
Bye
eLeL
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now