cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
550
Views
0
Helpful
1
Replies

ACL Question

irlitewave
Level 1
Level 1

First let me draw a diagram

server---Router 2691---LAN

I need to apply access lists to this router that will allow anything inside access the server entirely, but limit the ports that the server can access such as terminal server. I created an access list with the ports that I wanted to allow in such as this: access-list 101 permit 10.69.69.0 0.0.0.255 any eq 3389 log

and ended the access list with deny ip any any. When I am on the server I can use terminal server no problem, but if I try to connect to the terminal server that is on the outside server from inside it does not work. it seems to change the destination port and there for gets blocked by the acl. Is this what is happening?

access-list dmz-in denied tcp 10.69.69.20(3389) -> 10.20.14.69(1397), 1 packe

thanks

Dave

1 Reply 1

scoclayton
Level 7
Level 7

Dave,

Do you have anything in your ACL allowing source port 3389 packets to go through? Something like this:

access-list 101 permit 10.69.69.0 0.0.0.255 eq 3389 any log

It sounds to me like you need to find a way to dynamically allow return packets to your inside hosts when they generate the traffic. You can do this a few ways. Have you considered using CBAC which is part of the FW feature set? Or as another option, reflexive access-lists? CBAC will do a more complete job but will probably require an IOS upgrade to the FW feature set. If this is not possible, take a look at reflexive access-lists and see if this helps. This feature has holes (specifically with ftp and other protocols that open up dynamic return ports) but might work in a simple environment:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_summary_chapter09186a0080087256.html

Scott