cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

233
Views
5
Helpful
7
Replies
Beginner

Allowing inbound RDP but not any outbound

I want to create an isolated Test vlan (172.16.112.0/24):

Inbound - only allow inbound RDP to any host within the Test vlan

Outbound - deny all so that any hosts in the Test vlan can't contact production

 

Does the following look correct?

 

interface Vlan102
description Test Subnet
ip address 172.16.112.1 255.255.255.0
ip access-group FROM-TEST in
ip access-group TO-TEST out

 

ip access-list extended FROM-TEST
permit tcp 172.16.112.0 0.0.0.255 172.16.0.0 0.0.3.255 log
permit icmp any any log
deny ip any any

 

ip access-list extended TO-TEST
permit tcp 172.16.0.0 0.0.3.255 172.16.112.0 0.0.0.255 eq 3389
permit icmp any any
deny ip any any

7 REPLIES 7
VIP Expert

Re: Allowing inbound RDP but not any outbound

Close - depends how much you truly want to lock down to just RDP traffic. For example, your ACLs allow ICMP traffic. They also allow an outbound flow to start a flow, outbound, provided the return traffic comes back in with a TCP port of 3389 (which is likely RDP, but it might not be).

In other words, what you have is probably "good enough", but if you wanted to further restrict to RDP, you might see if your device supports NBAR that "knows" RDP. If not, you might see if you can use a reflexive ACL (so outbound TCP is blocked unless it's a return flow - also might be helpful for your ICMP) and if not, maybe restrict outbound TCP to have the established bit set.
Beginner

Re: Allowing inbound RDP but not any outbound

Thanks for the reply.

Why is To-TEST an outbound and FROM-TEST inbound?

ip access-group FROM-TEST in
ip access-group TO-TEST out

 

Shouldn't this be the other way around?

Highlighted
Beginner

Re: Allowing inbound RDP but not any outbound

ACL in = checking all traffic that receiving on that interface against the ACL.
ACL out = checking all traffic that leaving on that interface against the ACL.
VIP Advisor

Re: Allowing inbound RDP but not any outbound

Hello


@Joe22 wrote:

I want to create an isolated Test vlan (172.16.112.0/24):

Inbound - only allow inbound RDP to any host within the Test vlan

Outbound - deny all so that any hosts in the Test vlan can't contact production


What is the production vlan subnet? -  example 10.10.10.0/24

 

ip access-list extended  test_vlan_acl
remark Isolate test vlan from production
permit tcp 10.10.10.0 0.0.0.255 any eq 3389
deny ip 10.10.10.0 0.0.0.255 any
permit ip any any

 

ip access-list extended  test_vlan_acl_in
remark Isolate test vlan from production
permit tcp any 10.10.10.0 0.0.0.255  eq 3389
deny ip any 10.10.10.0 0.0.0.255 
permit ip any any

int vlan 102
ip access-group test_vlan_acl out
ip access-group test_vlan_acl_in in



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Beginner

Re: Allowing inbound RDP but not any outbound

172.16.0.0/22 is the production

Beginner

Re: Allowing inbound RDP but not any outbound

Paul, why is the inbound acl, test_vlan_acl, tagged as "out"? Shouldn't that be "in"?
Hall of Fame Guru

Re: Allowing inbound RDP but not any outbound

 

An acl applied inbound to your test vlan L3 vlan interface (SVI) controls traffic from the test vlan ie. traffic with source IPs of 172.16.112.x. 

 

An acl applied outbound to your test vlan SVI controls traffic with destination IPs of 172.16.112.x. 

 

Your outbound acl should be as you have it in your first post but as Joe notes you are also allowing ICMP. 

 

Your inbound acl should be - 

 

permit tcp 172.16.112.0 0.0.0.255 eq 3389 172.16.0.0 0.0.3.255 log   

 

to allow the return RDP traffic ie. no need to allow all TCP traffic as you don't want that according to your original post, and you also need to allow ICMP if that is what you want. 

 

Jon

 

 

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards