12-18-2012 02:48 AM - edited 03-07-2019 10:40 AM
Hi ,
Outbound ACL applied on Gi0/0.40 and three different ip scope defined.
interface GigabitEthernet0/0.40
encapsulation dot1Q 10
ip address 192.168.0.254 255.255.255.0 secondary
ip address 192.168.1.254 255.255.255.0 secondary
ip address 10.60.15.252 255.255.255.0
ip access-group Test out
IP access list extended Test
10 permit ip 192.168.0.0 0.0.0.255 10.62.15.0 0.0.0.255
20 permit ip 192.168.1.0 0.0.0.255 10.62.15.0 0.0.0.255
30 permit ip 10.62.15.0 0.0.0.255 192.168.0.0 0.0.0.255
40 permit ip 10.62.15.0 0.0.0.255 192.168.1.0 0.0.0.255
50 deny ip any any log
Issue:
wheneven we try to do RDP (3389) to 192.168.0.80 from 10.62.15.10.
we do not see any hits on above ACLs but blocks seen in syslog server.
Hence we exclusively added specific ACL in both direction ..then it started working...
45 permit tcp 192.168.0.0 0.0.0.255 eq 3389 10.60.15.0 0.0.0.255
46 permit tcp 10.60.15.0 0.0.0.255 192.168.0.0 0.0.0.255 eq 7777
Do you have any idea , we had allowed entire subnet and did not work ( Subnet to subnet).
Thanks
Sri
Solved! Go to Solution.
12-18-2012 07:29 AM
Actually ACL number 30 will surve your solution
12-18-2012 04:47 AM
The "interface GigabitEthernet0/0.40" is Inside facing port or outside facing port?
you may try with command "ip access-group Test IN" instead of OUT so that it will match the source from traffic.
12-18-2012 06:44 AM
Hi Bharat,
Thanks for your reply.. ACL applied in outbound direction...
Thanks
Sri
12-18-2012 07:15 AM
Okay,
The thing you was trying - access the RDP (3389) to 192.168.0.80 from 10.62.15.10 what you have also applied in your ACL, NOTE - your source IP is - 10.62.15.10 & Destination 192.168.0.80 which is OK per ACL, but i guess you might tried to verify port access to 192.168.0.80 from Router itself which has Source IP 10.60.15.252, thats why you might get syslog for failure report and once you add an ACL 46 it started working.
in that case host 10.62.15.10 was working but router was getting failure, please check the subnet you provided 10.62.15.0/24 was correct.
Thx!
12-18-2012 07:20 AM
No, we tried from 10.60.15.10 system and seen deny logs in syslog server. I am sure subnet mask is correct what i have provided (10.62.15.0/24) :-)
Thanks
Sri
12-18-2012 07:22 AM
Hi,
It didn't work because the return traffic coming from 192.168.0.0/24 wasn't allowed in ACL. You don't have inbound ACL so traffic goes to 192.168.0.0/24 from 10.62.15.024 unfiltered. For return traffic you added few statements and now it's OK.
Hope it will help
Sent from Cisco Technical Support iPhone App
12-18-2012 07:28 AM
Dude,
if you were soucing the traffic from 10.60.15.10 the you ACL statement should have been like below ---
IP access list extended Test
10 permit ip 192.168.0.0 0.0.0.255 10.60.15.0 0.0.0.255
20 permit ip 192.168.1.0 0.0.0.255 10.60.15.0 0.0.0.255
30 permit ip 10.60.15.0 0.0.0.255 192.168.0.0 0.0.0.255
40 permit ip 10.60.15.0 0.0.0.255 192.168.1.0 0.0.0.255
12-18-2012 07:29 AM
Actually ACL number 30 will surve your solution
12-18-2012 07:42 AM
Bharat , you are right.. It was my my mistake :-(
I will update the ACL with 10.60.*.* ..
Thanks again..
Sri
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: