Solved

How to open port 3389 on cisco 3560 ?

Posted on 2009-03-30
8
1,701 Views
Last Modified: 2012-06-27
Hello,

I'm starting to lose my mind on this one.
I have cisco L3 switch 3560, and I'm trying to apply some access-maps on Vlan 100, some sort of DMZ.
I don't understand how this works so I'll give the example what works whit me and what doesn't. I'll kindly ask You to explain me what am I doing wrong and where is the catch ?
I want to enable only RDP from one host to another ,192.168.2.77 to 192.168.1.2 , and vice-versa.
This is the access-map what is applied on VLAN 100 with vlan filter command:

Vlan access-map "dmz"  10
  Match clauses:
    ip  address: server
  Action:
    forward
Vlan access-map "crm"  20
  Match clauses:
    ip  address: all
  Action:
    drop

Access lists :
SERVER
10 permit tcp host 192.168.1.2 eq 3389 host 192.168.2.77
20 permit tcp host 192.168.1.2 host 192.168.2.77 eq 3389
30 permit tcp host 192.168.2.77 eq 3389 host 192.168.1.2
40 permit tcp host 192.168.2.77 host 192.168.1.2 eq 3389
ALL
10 permit ip any any

OK, so this combination works. Why do I have to putt  statement for source port and also destination port?
Also why is not working just in one way, for example RDP only from server 192.168.1.2 to 192.168.2.77.

10 permit tcp host 192.168.1.2 eq 3389 host 192.168.2.77
20 permit tcp host 192.168.1.2 host 192.168.2.77 eq 3389

With this kind of command I would have to be able to remote connect (RDP) only from 192.168.1.2 to 192.168.2.77, but NOT vice-versa, isn't that right ? That's not working.
What am I doing wrong ?

Thanks in advance!

Regards ,
eLeL

 
0
Comment
Question by:EXOR-ZG
  • 4
  • 4
8 Comments
 
LVL 7

Expert Comment

by:egyptco
ID: 24017665
OK, so this combination works. Why do I have to putt  statement for source port and also destination port?

basically your switch can't inspect the traffic statefully and access-map understands no direction. so you need to specify the return traffic either and that's why you need source and destination address.

your access-map "crm" allows everything and makes all other traffic filtering irrelevant

0
 
LVL 7

Expert Comment

by:egyptco
ID: 24017678
oh... it is action drop. it doesn't allows everything but drop it. why so you need this "crm" at all?
0
 

Author Comment

by:EXOR-ZG
ID: 24018209
hi,

I'm testing access-map to filter specific traffic for specific VLAN because we will put server in that VLAN and let other firm work only on that server. So we want to allow only RDP, DC authentication, and maybe some other ports that I forgot. So I was wondering why is that not working like I thought it will work. I'm CCNA, but we worked only on router ACLs, so this access-maps are new to me:-)

Do you have some advices on opening ports for LDAP authentication ?

tnx,
eLeL
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 7

Accepted Solution

by:
egyptco earned 150 total points
ID: 24018985
hi,

I've never used vacl to filter traffic you might find a good example here:
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808122ac.shtml

it seems it is like the good old acls but with the differents that VACLs are not defined by direction (ingress or egress). so i guess you should pay attention to define the return traffic as well thats why you need to specify source and destination ports if you're playing to restrictive. so back with the example with RDP in order to allow session from server 192.168.1.2 to 192.168.2.77 you need those lines:
permit tcp host 192.168.1.2 host 192.168.2.77 eq 3389  <-initiating rdp
permit tcp host 192.168.2.77 eq 3389 host 192.168.1.2  <-return traffic

it shouldn't work in the opposite direction (rdp from 192.168.2.77 to 192.168.1.2) but i'm not sure. as i said never used that. let me know if my theory is right:)

i have neither experience with ldap. but it seems you should open 389/tcp for ldap:// sessions and port 636/tcp for ldaps://) sessions
0
 

Author Comment

by:EXOR-ZG
ID: 24019167

Thnx for your effort in helping me on this problem. That hint about vlan maps not knowing direction cleared some questions that I had.
I'll let you know if your suggestion worked , for one way.

I'll give you 100 points , maybe somebody else have something to say on our conversation.
 

0
 

Author Comment

by:EXOR-ZG
ID: 24019209
Correction, i can't do that with points :-), i'll wait for some time, and if no posts, all points to you.

O&O
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24019744
no pro.. instead of giving me points i'll be glad if you only  post some resaults of your tests. i have no test l3 switch to play with vacls;)
0
 

Author Comment

by:EXOR-ZG
ID: 24047902
Hi,

I finally catch some time to test your suggestion and it works fine.  
Like I already said, you cleared me whole thing with ''not knowing direction''.

tnx.
Bye
eLeL
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question