?
Solved

3560 RDP acl  not working

Posted on 2011-04-30
6
Medium Priority
?
2,183 Views
Last Modified: 2012-05-11
IP Routing is enabled, and when I remove access lists 112 & 113 RDP works, but does not when they are in place.  What am I missing?

interface Vlan2
 ip address 172.16.0.1 255.255.255.0
 ip access-group 102 in
 ip access-group 112 out
!
interface Vlan3
 ip address 172.17.0.1 255.255.255.0
 ip access-group 103 in
 ip access-group 113 out

access-list 102 permit ip any any log
access-list 103 permit ip any any log
access-list 112 permit tcp any host 172.16.0.2 eq 3389 log
access-list 113 permit tcp any host 172.17.0.2 eq 3389 log
!
0
Comment
Question by:B1izzard
  • 2
  • 2
  • 2
6 Comments
 
LVL 12

Expert Comment

by:Fidelius
ID: 35498109
Hello,

You need to switch directions on ACLs.
102 and 103 should be OUT direction and 112 and 113 should be IN direction.

Regards!
0
 
LVL 15

Accepted Solution

by:
Frabble earned 1000 total points
ID: 35500707
The ACLs shown will effectively block all traffic between the two networks, so if you're trying RDP between the two it will fail.

Generally, there is no stateful inspection with ACLs so you have to allow for returning traffic.

Using the above and ignoring IP addresses, RDP from VLAN 2 to VLAN 3 will have a client dynamic source port (>1023) and server destination port 3389.
For Vlan2, ACL 102 will allow this in and for Vlan3, ACL 113 will allow this out.
The return traffic will have server source port 3389 and client destination port whatever was used.
For Vlan3, ACL 103 will allow this in and for Vlan2, ACL 112 will block it because all you are allowing out is to port 3389 which is unlikely to be the client source port.

For the above, ACL 112 also has to allow return traffic from the Vlan3 RDP server and ACL 113 also has to allow return traffic from the Vlan2 server:
access-list 112 permit tcp any host 172.16.0.2 eq 3389 log
access-list 112 permit tcp host 172.17.0.2 eq 3389 any log

access-list 113 permit tcp any host 172.17.0.2 eq 3389 log
access-list 113 permit tcp host 172.16.0.2 eq 3389 any log


I assume you're just testing with the above. Normally control is done at the source so ACLs are usually applied for incoming traffic.
For commonly used ACLs and the use of "etablished" for TCP connections, check out:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml






0
 

Author Comment

by:B1izzard
ID: 35510087
>> Normally control is done at the source so ACLs are usually applied for incoming traffic.
So are you implying it's not normal to have an 'ip access-group out', but rather just an 'ip access-group in' to block traffic on all interfaces?  

I personally would prefer to always have an 'ip access-group out' on all interfaces just to make sure you don't have unexpected traffic coming in due to a missed ACL.  I'm I going about this the wrong way?  
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 12

Assisted Solution

by:Fidelius
Fidelius earned 1000 total points
ID: 35510276
No, it is not the wrong way, but it is far mor complicated. As Frabble said, ACLs are not statefull, so you will have to define all returning traffic also. It is more error prone approach. Best practice is to use only IN ACLs.

Regards!
0
 
LVL 15

Expert Comment

by:Frabble
ID: 35517433
I'm not implying outgoing ACLs are not normal, it depends on the situation and why ACLs are being applied in the first place.

You're having to allow all incoming traffic which means it's processed and routed before possibly being denied and dropped, so device resources are being wasted. If an ACL is applied for incoming at the source, denied traffic is dropped, end of story, so is more efficient.
Similarly, anywhere could spoof their address for one that your outgoing list allows and a connection attempt will get through allowing a SYN denial of service attack for example. An incoming ACL can block this again, at the source.
If you have several interfaces, administration will be high. Access from one may involve having to change all the other ACLs instead of just the one. Similarly, you won't be able to inspect the configuration of an interface to see what is allowed for devices on that network, all the other interfaces will need to be looked at. It's easier to miss an ACL in these circumstances.

Ultimately it will be whatever you feel comfortable with to achieve what is required, but if you look at the examples provided by Cisco for access control, almost all are incoming ACLs. Generally they're easier to manage and allow the use of best practice.
0
 

Author Closing Comment

by:B1izzard
ID: 35943939
Thanks.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question