Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
346
Views
0
Helpful
1
Replies

ACL rules clarification

Go to solution
fersherls
Level 1
Level 1

‎02-14-2017 08:08 AM - edited ‎03-08-2019 09:19 AM

Hello everyone

I have a doubt since a long time ago, regarding ACL on a cisco 4500 switch.

The scenario its the next one

interface Vlan110
description Workstations
ip address 10.1.1.1 255.255.255.0
ip access-group PCI_OUT out

And my plan is to enable comunication from vlan110 segment to a remote server, here's my question.

If I configure it like this

ip access-list extended PCI_OUT
permit tcp any host 10.2.1.45 eq 3389

10.240.20.45 its the remote server so, will communication initiated from workstations on vlan 110 will be successfull? I have doubts if I need to enable the other side too, like this.

permit tcp host 10.240.20.45 any  eq 3389

But per my knowlegde I think If I just configured like the first one Communication will be successful but only if initiated from the workstations, right?

Best Regards!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio E. Moisa
VIP
VIP

‎02-14-2017 09:08 AM

Hi

With that line you are allowing RDP access from any IP  over that vlan to that specific host (10.240.20.45/32)

Sintaxis

permit <tcp protocol> <'any' source over the subnet 10.1.1.0/24> eq <source port> <destination IP/subnet> eq <destination port>

If you dont specify the port after the source IP/subnet, it is considered as any port from 0 to 65535.

permit tcp any host  10.240.20.45 eq 3389 only  <-- from network 10.1.10/24 to the host 10.240.20.45

if you configure it like:

permit tcp host  10.240.20.45 any eq 3389  <--- you are allowing host 10.240.20.45 is able to reach any destination through the port 3389, but in that case it is invalid, because the host 10.240.20.45 does not belong to the vlan 110.

But it could be applied on inbound way, example:

interface Vlan110
description Workstations
ip address 10.1.1.1 255.255.255.0
ip access-group PCI_OUT in

In this case you are allowing the TCP access from the host 10.240.20.45 to any destination over the subnet 10.1.1.0/24 using the port 3389 only.(RDP port)

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Julio E. Moisa
VIP
VIP

‎02-14-2017 09:08 AM

Hi

With that line you are allowing RDP access from any IP  over that vlan to that specific host (10.240.20.45/32)

Sintaxis

permit <tcp protocol> <'any' source over the subnet 10.1.1.0/24> eq <source port> <destination IP/subnet> eq <destination port>

If you dont specify the port after the source IP/subnet, it is considered as any port from 0 to 65535.

permit tcp any host  10.240.20.45 eq 3389 only  <-- from network 10.1.10/24 to the host 10.240.20.45

if you configure it like:

permit tcp host  10.240.20.45 any eq 3389  <--- you are allowing host 10.240.20.45 is able to reach any destination through the port 3389, but in that case it is invalid, because the host 10.240.20.45 does not belong to the vlan 110.

But it could be applied on inbound way, example:

interface Vlan110
description Workstations
ip address 10.1.1.1 255.255.255.0
ip access-group PCI_OUT in

In this case you are allowing the TCP access from the host 10.240.20.45 to any destination over the subnet 10.1.1.0/24 using the port 3389 only.(RDP port)

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card