10-06-2016 11:44 PM - edited 03-05-2019 07:13 AM
Dear
i have router 881 with 1 wan and 4 LAN ports, i assigned IP for wan port (ISP config /30 (for internet)) , ISP provided me range of real IP (for internet using), i assigned one real ip (from my range from ISP ) to VLAN1 interface, and i connected one workstation to one of LAN port and assigned this workstation real ip (also from my range from ISP) , so i can connect to the workstation directly by using the real ip of this workstation (the gateway of workstation is the real ip of vlan1 interface).
how can i close all ports to workstation except the 3389??
With Regards to all..
10-07-2016 01:31 AM
I wouldn't have used a public ip on the vlan 1 interface , you should really use a private range and use NAT overload or you wont be able to expand in the future
if you want to block all ports but rdp use an acl first allow the rdp to your device then block all other tcp connection to it
access-list 100 permit tcp any host x.x.x.x eq 3389
access-list 100 deny tcp any any
then apply the acl to the vlan interface
int vlan 1
access-group 100 in
10-07-2016 04:26 AM
Many thanks mark, i set acl as above but after i applied the acl in vlan1 interface (in) , i became not able to access to any ports in my workstation , when i canceled the acl to vlan 1 , i can do..
your advice,,
10-07-2016 04:33 AM
ok maybe it needs return traffic too , the first line says allow any subnet/host to speak to your host using only TCP port 3389 RDP , second line blocks all other tcp traffic deny to anyone from anywhere
can you post what you have configured if its still not working and check does the acl get hit with show ip access-list 100
access-list 100 permit tcp any host x.x.x.x eq 3389
access-list 100 permit tcp host x.x.x.x any eq 3389
access-list 100 deny tcp any any
10-07-2016 04:49 AM
Configuration:
config
from terminal, memory, or network [terminal]?
guration commands, one per line. End with CNTL/Z.
config)#access-list 100 permit tcp any host (real IP of my workstation) eq 3389
config)#access-list 100 permit tcp host (real IP of my workstation) any eq 3389
config)#access-list 100 deny tcp any any
config)#end
sh
show inter
config
from terminal, memory, or network [terminal]?
guration commands, one per line. End with CNTL/Z.
config)#interf
config)#interface VLAN
config)#interface VLAN 1
config-if)#IP ACCEES
config-if)#ip access
config-if)#ip access-group 100 in
config-if)#end
wr
output of show ip access-lists:
Extended IP access list 100
10 permit tcp any host (real ip of my workstation) eq 3389
20 permit tcp host (real ip of my workstation) any eq 3389
30 deny tcp any any (54 matches)
Regards
10-07-2016 05:26 AM
try ip access-group 100 out under the vlan interface as well
10-07-2016 06:18 AM
did it work ?
10-07-2016 09:21 AM
it seems that work OK.
the output of show ip access lists after i tried 3389 and 80
10 permit tcp any host x.x.x.x eq 3389 (26 matches)
20 permit tcp host x.x.x.x any eq 3389
30 deny tcp any any (69 matches)
many thanks for you Mr.Mark..
10-10-2016 12:39 AM
ah great thats good :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide