Extended Access List Logic please...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-07-2015 05:26 AM - edited 03-08-2019 01:16 AM
Hello,
I'm trying to allow tcp port 3389 access from my PC (host 192.168.10.10) to a remote PC (10.181.10.10). My PC is part of a 16 bit network mask.
I've done the below configuration and applied it on the HSRP interface of the VLAN where the remote PC is configure.
ip access-list extended IMCR
permit tcp 10.181.10.10 0.0.0.15 eq 3389 host 192.168.10.10
or
permit tcp host 192.168.10.10 eq 3389 10.181.10.10 0.0.0.15
or
permit tcp 10.181.10.10 0.0.0.15 host 192.168.10.10 eq 3389
or
permit tcp host 192.168.10.10 192.168.10.10 eq 3389
What is the difference between these configurations in logic?
Many thanks in advance...
- Labels:
-
Other Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-07-2015 05:34 AM
Firstly you should apply the acl to the SVI for the source PC ie. 192.168.10.x) but it sounds like you are applying it to the remote PC SVI.
Secondly it depends entirely on whether you apply the acl inbound or outbound.
So assuming you are applying it to the remote PC vlan eg. 10.181.10.x then your first line would need to be applied inbound to the SVI and it says -
allow the remote PC to send packets with a source port of 3389 to host 192.168.10.10. Note here that you are filtering the return traffic and not the traffic from the client PC.
The second line won't work applied either way because 192.168.10.10 is not using port 3389 ie. it will use a random source port.
The third line makes no sense because the source and destination IPs are the same.
Jon
