Solved

How to open port 3389 on cisco 3560 ?

Posted on 2009-03-30
8
1,752 Views
Last Modified: 2012-06-27
Hello,

I'm starting to lose my mind on this one.
I have cisco L3 switch 3560, and I'm trying to apply some access-maps on Vlan 100, some sort of DMZ.
I don't understand how this works so I'll give the example what works whit me and what doesn't. I'll kindly ask You to explain me what am I doing wrong and where is the catch ?
I want to enable only RDP from one host to another ,192.168.2.77 to 192.168.1.2 , and vice-versa.
This is the access-map what is applied on VLAN 100 with vlan filter command:

Vlan access-map "dmz"  10
  Match clauses:
    ip  address: server
  Action:
    forward
Vlan access-map "crm"  20
  Match clauses:
    ip  address: all
  Action:
    drop

Access lists :
SERVER
10 permit tcp host 192.168.1.2 eq 3389 host 192.168.2.77
20 permit tcp host 192.168.1.2 host 192.168.2.77 eq 3389
30 permit tcp host 192.168.2.77 eq 3389 host 192.168.1.2
40 permit tcp host 192.168.2.77 host 192.168.1.2 eq 3389
ALL
10 permit ip any any

OK, so this combination works. Why do I have to putt  statement for source port and also destination port?
Also why is not working just in one way, for example RDP only from server 192.168.1.2 to 192.168.2.77.

10 permit tcp host 192.168.1.2 eq 3389 host 192.168.2.77
20 permit tcp host 192.168.1.2 host 192.168.2.77 eq 3389

With this kind of command I would have to be able to remote connect (RDP) only from 192.168.1.2 to 192.168.2.77, but NOT vice-versa, isn't that right ? That's not working.
What am I doing wrong ?

Thanks in advance!

Regards ,
eLeL

 
0
Comment
Question by:EXOR-ZG
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 7

Expert Comment

by:egyptco
ID: 24017665
OK, so this combination works. Why do I have to putt  statement for source port and also destination port?

basically your switch can't inspect the traffic statefully and access-map understands no direction. so you need to specify the return traffic either and that's why you need source and destination address.

your access-map "crm" allows everything and makes all other traffic filtering irrelevant

0
 
LVL 7

Expert Comment

by:egyptco
ID: 24017678
oh... it is action drop. it doesn't allows everything but drop it. why so you need this "crm" at all?
0
 

Author Comment

by:EXOR-ZG
ID: 24018209
hi,

I'm testing access-map to filter specific traffic for specific VLAN because we will put server in that VLAN and let other firm work only on that server. So we want to allow only RDP, DC authentication, and maybe some other ports that I forgot. So I was wondering why is that not working like I thought it will work. I'm CCNA, but we worked only on router ACLs, so this access-maps are new to me:-)

Do you have some advices on opening ports for LDAP authentication ?

tnx,
eLeL
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 7

Accepted Solution

by:
egyptco earned 150 total points
ID: 24018985
hi,

I've never used vacl to filter traffic you might find a good example here:
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808122ac.shtml

it seems it is like the good old acls but with the differents that VACLs are not defined by direction (ingress or egress). so i guess you should pay attention to define the return traffic as well thats why you need to specify source and destination ports if you're playing to restrictive. so back with the example with RDP in order to allow session from server 192.168.1.2 to 192.168.2.77 you need those lines:
permit tcp host 192.168.1.2 host 192.168.2.77 eq 3389  <-initiating rdp
permit tcp host 192.168.2.77 eq 3389 host 192.168.1.2  <-return traffic

it shouldn't work in the opposite direction (rdp from 192.168.2.77 to 192.168.1.2) but i'm not sure. as i said never used that. let me know if my theory is right:)

i have neither experience with ldap. but it seems you should open 389/tcp for ldap:// sessions and port 636/tcp for ldaps://) sessions
0
 

Author Comment

by:EXOR-ZG
ID: 24019167

Thnx for your effort in helping me on this problem. That hint about vlan maps not knowing direction cleared some questions that I had.
I'll let you know if your suggestion worked , for one way.

I'll give you 100 points , maybe somebody else have something to say on our conversation.
 

0
 

Author Comment

by:EXOR-ZG
ID: 24019209
Correction, i can't do that with points :-), i'll wait for some time, and if no posts, all points to you.

O&O
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24019744
no pro.. instead of giving me points i'll be glad if you only  post some resaults of your tests. i have no test l3 switch to play with vacls;)
0
 

Author Comment

by:EXOR-ZG
ID: 24047902
Hi,

I finally catch some time to test your suggestion and it works fine.  
Like I already said, you cleared me whole thing with ''not knowing direction''.

tnx.
Bye
eLeL
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month9 days, 11 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question