Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2570
Views
0
Helpful
5
Replies

Block port 3389 MSTSC Cisco 3560x

Go to solution
Michael Turkstra
Level 1
Level 1

‎09-19-2013 08:02 AM - edited ‎03-07-2019 03:34 PM

Good Afternoon

I am not an expert in Cisco so i would like some help from you guys (the experts).

I need to block port 3389 in a 3560x L3 switch

my idea for this was to make an access-list:

ip access-list extended BLOCK_RDP

deny   tcp any eq 3389 105.103.28.0 0.0.0.255

When i apply this on the interface the network goes down behind the L3 switch.

When i apply also the permit ip any any in the access list i can set up remote access again, and i dont want that.

Does anyone have an idea ?

these are the interfaces it is about

interface GigabitEthernet0/3

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/4

switchport trunk encapsulation dot1q

switchport mode trunk

Thanks a lot!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎09-19-2013 11:01 AM

Are you wanting to block this inter-vlan or within the same vlan?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Michael Turkstra

‎09-19-2013 11:59 AM

Glad to hear you got it working. You can permit that address before the deny statement to allow them through. In your example, you could do:

ip access-list ext BLOCK_RDP

1 permit tcp host 105.103.24.110 105.103.28.0 0.0.0.255 eq 3389

2 permit tcp host 105.103.24.110 host 105.103.28.33 eq 3389

The line numbers are there because by default Cisco starts with 10. To insert a line where you want, you add the number. Line 1 will allow 105.103.24.110 to access anything int the 105.103.28.0/24 subnet, and line 2 will allow the same host to access ONLY 105.103.28.33 on that subnet connecting to RDP.

When you insert lines like this, it doesn't affect the existing traffic, and you don't have to remove the acl from the interface in order to modify it. So, in my example, you can insert the lines and when you look at your access-list, you would see:

ip access-list ext BLOCK_RDP

1 permit tcp host 105.103.24.110 105.103.28.0 0.0.0.255 eq 3389

2 permit tcp host 105.103.24.110 host 105.103.28.33 eq 3389

10 deny   tcp any any eq 3389

20 permit ip any any

Make sense?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful
5 Replies 5

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎09-19-2013 11:01 AM

Are you wanting to block this inter-vlan or within the same vlan?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Michael Turkstra
Level 1
Level 1
In response to John Blakley

‎09-19-2013 11:52 AM

at this moment i have it working,

ip access-list extended BLOCK_RDP

  deny   tcp any any eq 3389

permit ip any any

interface Vlan28

description [* ADM 1F *]

ip address 105.103.28.1 255.255.255.0

ip access-group BLOCK_RDP out

do you have an idea ?

interface Vlan28

I can't access a computer in the 105.103.28.0/24 with mstsc, but i can access from the subnet 105.103.28.0/24 to other computers/subnets.

so that problem is solved, but i have one more question, when i want to give access to someone that want's to go by rdp to the 105.103.28.0/24 network, how do i set this in the ACL ?

i am not good with the wild card mask.

For example i would like to access with ip 105.103.24.110/24 to a computer in the 105.103.28.0/24 subnet.

do you have an idea ?

Thanks

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Michael Turkstra

‎09-19-2013 11:59 AM

Glad to hear you got it working. You can permit that address before the deny statement to allow them through. In your example, you could do:

ip access-list ext BLOCK_RDP

1 permit tcp host 105.103.24.110 105.103.28.0 0.0.0.255 eq 3389

2 permit tcp host 105.103.24.110 host 105.103.28.33 eq 3389

The line numbers are there because by default Cisco starts with 10. To insert a line where you want, you add the number. Line 1 will allow 105.103.24.110 to access anything int the 105.103.28.0/24 subnet, and line 2 will allow the same host to access ONLY 105.103.28.33 on that subnet connecting to RDP.

When you insert lines like this, it doesn't affect the existing traffic, and you don't have to remove the acl from the interface in order to modify it. So, in my example, you can insert the lines and when you look at your access-list, you would see:

ip access-list ext BLOCK_RDP

1 permit tcp host 105.103.24.110 105.103.28.0 0.0.0.255 eq 3389

2 permit tcp host 105.103.24.110 host 105.103.28.33 eq 3389

10 deny   tcp any any eq 3389

20 permit ip any any

Make sense?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Michael Turkstra
Level 1
Level 1
In response to John Blakley

‎09-19-2013 12:36 PM

yes i understand.

Thank you so much for your explanation i did not know about that.

My problem is solved

Have a great day!

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Michael Turkstra

‎09-19-2013 12:52 PM

You too! Thank you for the rating

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card