- Community Home
- >
- Networking
- >
- Legacy
- >
- Switching and Routing
- >
- Re: ACL to allow RDP into a VLAN.
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2021 08:53 AM - edited 03-08-2021 08:56 AM
03-08-2021 08:53 AM - edited 03-08-2021 08:56 AM
ACL to allow RDP into a VLAN.
This is on a J9851A.
I have the following ACL that is applied the vlan for network 10.3.4.0 as in. I had to do this to limit where people at our trainings could reach as far as internal resources. What i need to do is allow us to RDP to servers that live in this vlan.
ip access-list extended "Training Lab"
10 permit tcp 10.3.4.0 0.0.0.255 192.168.0.77 0.0.0.0 eq 53
15 permit udp 10.3.4.0 0.0.0.255 192.168.0.77 0.0.0.0 eq 53
20 permit tcp 10.3.4.0 0.0.0.255 192.168.0.97 0.0.0.0 eq 53
25 permit udp 10.3.4.0 0.0.0.255 192.168.0.97 0.0.0.0 eq 53
30 permit udp 10.3.4.0 0.0.0.255 192.168.0.77 0.0.0.0 eq 68
40 permit udp 10.3.4.0 0.0.0.255 192.168.0.97 0.0.0.0 eq 68
50 permit tcp 10.3.4.0 0.0.0.255 192.168.0.29 0.0.0.0 eq 80
60 permit tcp 10.3.4.0 0.0.0.255 192.168.0.29 0.0.0.0 eq 443
70 permit tcp 10.3.4.0 0.0.0.255 192.168.0.20 0.0.0.0 eq 80
80 permit tcp 10.3.4.0 0.0.0.255 192.168.0.20 0.0.0.0 eq 443
90 permit tcp 10.3.4.0 0.0.0.255 192.168.0.125 0.0.0.0 eq 80
100 permit tcp 10.3.4.0 0.0.0.255 192.168.0.125 0.0.0.0 eq 443
110 permit tcp 10.3.4.0 0.0.0.255 192.168.0.51 0.0.0.0 eq 80
120 permit tcp 10.3.4.0 0.0.0.255 192.168.0.51 0.0.0.0 eq 553
130 permit tcp 10.3.4.0 0.0.0.255 192.168.0.51 0.0.0.0 eq 443
140 permit tcp 10.3.4.0 0.0.0.255 192.168.0.145 0.0.0.0 eq 80
150 permit tcp 10.3.4.0 0.0.0.255 192.168.0.145 0.0.0.0 eq 443
160 permit tcp 10.3.4.0 0.0.0.255 192.168.200.31 0.0.0.0 eq 80
170 permit tcp 10.3.4.0 0.0.0.255 192.168.200.31 0.0.0.0 eq 443
180 permit tcp 10.3.4.0 0.0.0.255 192.168.200.145 0.0.0.0 eq 80
190 permit tcp 10.3.4.0 0.0.0.255 192.168.200.145 0.0.0.0 eq 443
195 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 3389
200 deny ip 10.3.4.0 0.0.0.255 192.168.0.0 255.255.0.0
210 deny ip 10.3.4.0 0.0.0.255 10.0.0.0 255.0.0.0
220 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
230 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443
240 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 2001
250 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 7001
260 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 4001
270 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 6001
280 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 1194
290 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 123
300 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 22
310 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 8080
320 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
330 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
I thought rule 195 would allow that and it doesn't. I have also tried this as well with no success:
permit tcp 192.168.250.0 0.0.0.255 10.3.4.0 0.0.0.255 eq 3389
Do I need to change how the ACL is applied to that vlan?
Thank you,
Eric
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2021 07:00 AM
03-09-2021 07:00 AM
Re: ACL to allow RDP into a VLAN.
Hi Eric,
Since your Extended ACL "Training Lab" is applied against in(coming) traffic reaching the Router - your Switch - from the VLAN id related to subnet 10.3.4.0/24 then the ACE 195 you're referring to:
195 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 3389
seems strange because it means that ANY source to ANY destination will be permitted on TCP 3389 incoming into your 10.3.4.0/24 VLAN's SVI (so for traffic seen as ingressing into the Core Switch performing the routing originated into the VLAN subnet)...if I read it correctly...it means that you're allowing any IP address to go to any IP address to perform RDP (TCP/3389)...this would include for sure any 10.3.4.0/24 host to perform RDP against any other hosts outside that specific VLAN.
Hope to have not misunderstood your description.
I'm not an HPE Employee