Extended Access List Logic please...

haidar_alm · ‎08-07-2015

Hello,

I'm trying to allow tcp port 3389 access from my PC (host 192.168.10.10) to a remote PC (10.181.10.10). My PC is part of a 16 bit network mask.

I've done the below configuration and applied it on the HSRP interface of the VLAN where the remote PC is configure.

ip access-list extended IMCR

permit tcp 10.181.10.10 0.0.0.15 eq 3389 host 192.168.10.10

or

permit tcp host 192.168.10.10 eq 3389 10.181.10.10 0.0.0.15

or

permit tcp 10.181.10.10 0.0.0.15 host 192.168.10.10 eq 3389

or

permit tcp host 192.168.10.10 192.168.10.10 eq 3389

What is the difference between these configurations in logic?

Many thanks in advance...

Jon Marshall · ‎08-07-2015

Firstly you should apply the acl to the SVI for the source PC ie. 192.168.10.x) but it sounds like you are applying it to the remote PC SVI.

Secondly it depends entirely on whether you apply the acl inbound or outbound.

So assuming you are applying it to the remote PC vlan eg. 10.181.10.x then your first line would need to be applied inbound to the SVI and it says -

allow the remote PC to send packets with a source port of 3389 to host 192.168.10.10. Note here that you are filtering the return traffic and not the traffic from the client PC.

The second line won't work applied either way because 192.168.10.10 is not using port 3389 ie. it will use a random source port.

The third line makes no sense because the source and destination IPs are the same.

Jon