11-06-2015 02:04 AM - edited 03-08-2019 02:35 AM
Folks,
Hope u guys can help with this.
We have 2 vlans, VLAN20 192.168.1.0/24 and VLAN21 192.168.2.0/24
On the 192.168.1.0/24 subnet we have an extended acl inbound.
There is no acl on VLAN21
I want to allow clients on VLAN21 to access a server 192.168.1.10 on VLAN20 on tcp port 7788.
This is what i have in the ACL
access-list 121 permit tcp host 192.168.1.10 192.168.2.0 0.0.0.255 eq 7788 log
With the above applied, the connection fails.
If i change the ACL to "access-list 121 permit tcp host 192.168.1.10 192.168.2.0 0.0.0.255 gt 7000 log" it works
The only thing i am noticing when i look in the log, is that the source port from the client is 64534.
Is there any way to get this working without leaving the ACL as is above, and tying it down a bit more.
Regards
11-06-2015 03:14 AM
If you want to apply it to the acl on the vlan 20 SVI it should be -
"access-list 121 permit tcp host 192.168.1.10 eq 7788 192.168.2.0 0.0.0.255 log"
because an acl applied inbound is for traffic coming from devices in that vlan and the server is using that specific port whereas the client is using a random port.
Jon
11-06-2015 10:01 PM
Hello Robert,
Agree with Jon's comment client end genrates random source port for TCP handshake but detination ports is what where the application is running.
You can do applying the acl in direction on VLAN 20 but normally my preference is used to apply acl near the source that vlan 21.
Hope it Helps..
-GI
Rate Helpful Posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: