04-10-2017 01:29 AM - edited 03-12-2019 02:12 AM
Dear Cisco Experts,
I have got a problem to control the rules/traffic at the inside Firewall device. I have 2 unit workstation which the IP is PC-A is 10.1.0.101, 255.225.0.0 and PC-B are 10.1.1.125, 255.255.0.0.
This two PC is located inside port of the firewall. I want to disable the Remote Desktop Protocol, (tcp/3389) between this PC using the firewall rules.
I already perform created access rules at inside FW to deny the RDP service but unsuccessful.
My question is may I control/disable the RDP service if the IP subnet segment is same?
Or I need to perform separate VLAN for this to able control/disable the RDP service?
Appreciated if can help me on this.
Thanks
Hanif Saharudin
04-10-2017 01:30 PM
Hanif
There is a way to firewall traffic within the same IP subnet but your firewall needs to be in transparent mode. However I am not suggesting you do this as I suspect you have other interfaces on your ASA in use and your ASA is in routed mode.
In which case no you cannot use the firewall as far as I know because traffic is never sent to the firewall ie. the traffic goes direct between clients in the same subnet.
Which means you could use another vlan although this would mean readdressing etc. or alternatively your switch may be able to filter traffic within the same vlan depending on the model. Bear in mind this is not stateful firewalling just basic acl filtering.
So what switch model are you using ?
Jon
04-11-2017 02:55 AM
04-11-2017 04:01 AM
You cannot configure anything at L3 because the traffic is not routed, so you need to be able ot filter traffic within a vlan which is supported on the 3750.
See this link but bear in mind this is not stateful -
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_58_se/configuration/guide/3750scg/swacl.html#58493http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_58_se/configuration/guide/3750scg/swacl.html#58493
Jon
04-12-2017 11:36 PM
Dear Jon,
Thanks for the links.
I'll go through this documents and try to perform filter at L3 within VLAN.
Will update later if successful.
Thanks for your time.
Regards,
Hanif
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide