cancel
Showing results for 
Search instead for 
Did you mean: 

5900AF ACLs

Highlighted
dgeronik
Occasional Contributor

5900AF ACLs

Hello Everyone!

I need to do the following 

I have 2 VANs (VLAN 1 and VALAN 2) and I need RDP access bidirectional between 2 specific hosts of those 2 VlANs. VLAN1 is routable VLAN 2 is not

I made the following configiration:

interface Vlan-interface1
ip address 192.168.2.250 255.255.255.0
packet-filter 3001 inbound

acl number 3001

rule 10 permit tcp source 192.168.1.50 0 destination 192.168.2.50 0 destination-port eq 3389
rule 50 deny ip any

With this configuration i have RDP access from 192.168.1..50 but not the oposite

1 REPLY
sdide
Trusted Contributor

Re: 5900AF ACLs

Hi,

the reverse will not work because you have only allowed destination port 3389, and when your client/server roles are reversed, the destination will be a different port, typically a random port (you can read more about how ports should be assigned in RFC 6335 https://tools.ietf.org/html/rfc6335) . The switch ACL is just looking at each single packet, it does not keep track of established connections.

In your case, when the destination port is not 3389 (which a random port should never be) inbound on vlan 1, the packet (the answer from the server) will be blocked. (see drawings) 

diagram_acl_generic_3389.pngdiagram_acl_generic_3389_rev.png

You don't have any nice solutions to this. But,

1: you could allow all ports. This would make it work.

2: Maybe you could force your RDP client to initiate on a specific (not random) port, and then allow that port aswell.

Regards.

 

 

Søren Dideriksen, Network Administrator
Region Midtjylland