HPE Community
Comware Based
1752407 Members
5741 Online
108788 Solutions
New Discussion

5900AF ACLs

 
dgeronik
Occasional Contributor

‎01-13-2018 12:13 PM

‎01-13-2018 12:13 PM

5900AF ACLs

Hello Everyone!

I need to do the following 

I have 2 VANs (VLAN 1 and VALAN 2) and I need RDP access bidirectional between 2 specific hosts of those 2 VlANs. VLAN1 is routable VLAN 2 is not

I made the following configiration:

interface Vlan-interface1
ip address 192.168.2.250 255.255.255.0
packet-filter 3001 inbound

acl number 3001

rule 10 permit tcp source 192.168.1.50 0 destination 192.168.2.50 0 destination-port eq 3389
rule 50 deny ip any

With this configuration i have RDP access from 192.168.1..50 but not the oposite

0 Kudos
1 REPLY 1
sdide
Respected Contributor

‎01-15-2018 01:30 AM - edited ‎01-15-2018 01:31 AM

‎01-15-2018 01:30 AM - edited ‎01-15-2018 01:31 AM

Re: 5900AF ACLs

Hi,

the reverse will not work because you have only allowed destination port 3389, and when your client/server roles are reversed, the destination will be a different port, typically a random port (you can read more about how ports should be assigned in RFC 6335 https://tools.ietf.org/html/rfc6335) . The switch ACL is just looking at each single packet, it does not keep track of established connections.

In your case, when the destination port is not 3389 (which a random port should never be) inbound on vlan 1, the packet (the answer from the server) will be blocked. (see drawings) 

diagram_acl_generic_3389.pngdiagram_acl_generic_3389_rev.png

You don't have any nice solutions to this. But,

1: you could allow all ports. This would make it work.

2: Maybe you could force your RDP client to initiate on a specific (not random) port, and then allow that port aswell.

Regards.

 

 

Søren Dideriksen, Network Administrator
Region Midtjylland
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.