04-08-2009 08:45 AM
I have a router with the following interfaces :
interface FastEthernet6/0
description <<137.55.67.0 Subnet>>
ip address 137.55.67.1 255.255.255.0
ip access-group 100 out
duplex auto
speed auto
!
interface FastEthernet6/1
description <<137.55.68.0 Subnet>>
ip address 137.55.68.1 255.255.252.0
duplex auto
speed auto
.
.
.
access-list 100 permit tcp 137.55.68.0 0.0.3.255 137.55.67.0 0.0.0.255 eq 3389
access-list 101 permit tcp 137.55.67.0 0.0.0.255 137.55.68.0 0.0.3.255 eq 3389
Note : The subnet of the interface F6/0 is a pool of non compliant PCs that we would like to restrict access in/out.
Question 1: With 100 ACL applied as the "out" at F6/0 to subnet 137.55.67.0 I can RDC from subnet with 137.55.68.0 and NOT the other way ( from 137.55.67.0 to clients in 137.55.68.0 ).
Question 2 : Even if we applied 101 ACL to the subnet as follow is also NOT helping.
interface FastEthernet6/0
description <<137.55.67.0 Subnet>>
ip address 137.55.67.1 255.255.255.0
ip access-group 100 out
ip access-group 101 in
duplex auto
speed auto
Appreciate if anyone can help. Thanks.
Regards
thong
04-08-2009 11:46 AM
Thong
If you want to be able to RDP both ways then you need to modify your acl 100. You could use the established keyword or you could write as follows
access-list 100 permit tcp 137.55.68.0 0.0.3.255 137.55.67.0 0.0.0.255 eq 3389
access-list 100 permit tcp 137.55.68.0 0.0.3.255 eq 3389 137.55.67.0 0.0.0.255
Jon
04-09-2009 08:12 AM
Dear John,
I could not find this post of mine and thought i could hv logged off before hitting the "post" button last night.
I didn't know that i hv posted to the wrong category until i receive an email from this forum.
I hv just again posted the same question in under "Getting started with LAN" .
Anyway i will try your suggestion tomorrow to see if it works.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide