Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
279
Views
1
Helpful
1
Replies

problem in access list

chpmotry
Level 1
Level 1

‎10-02-2023 10:20 AM - edited ‎10-02-2023 11:50 PM

hi guys.

I have two servers in my network.
The first server with IP 192.168.5.2 and the second server with IP 192.168.4.2.

vlan-limit-2.JPG
I want  to the user of server 192.168.4.2 be able to remote desktop to 192.168.5.2 server, and the user of the 192.168.5.2 dont be able to remote desktop to the 192.168.4.2 server and can only open web page of 192.168.4.2 .

I entered the following commands in my core switch, but after that, none of them had web and remote connections.
Do you think the commands I entered are not correct?

switch-Multilayer-Core#
ip routing
vlan 4
vlan 5

ip access-list extended acl-remote-vlan4-in
permit tcp 192.168.4.2 0.0.0.0 192.168.5.2 0.0.0.0 eq 3389

permit tcp 192.168.4.2 0.0.0.0 192.168.5.2 0.0.0.0 eq 80
deny ip 192.168.4.0 0.0.0.255 any
permit ip any any
ip access-list extended acl-remote-vlan5-in
permit tcp 192.168.5.2 0.0.0.0 192.168.4.2 0.0.0.0 eq 80
deny tcp 192.168.5.2 0.0.0.0 192.168.4.2 0.0.0.0 eq 3389
deny ip 192.168.5.0 0.0.0.255 any
permit ip any any
int g0/1
switchport mode access
switchport access vlan 5
int g0/2
switchport mode access
switchport access vlan 4
int vlan 4
ip add 192.168.4.1 255.255.255.0
ip access-group acl-remote-vlan4-in in
int vlan 5
ip add 192.168.5.1 255.255.255.0
ip access-group acl-remote-vlan5-in in

 

 

 

0 Helpful
1 Reply 1

Ramblin Tech
Spotlight
Spotlight

‎10-02-2023 06:03 PM - edited ‎10-02-2023 06:10 PM

A server application binds its “listening” code to a server’s address and specifies what port number to use in its bind request to the OS. By convention, “well known” applications (eg, ftp, ssh, telnet, smtp, http, https) bind their listeners to ports <1024 (respectively, 20/21, 22, 23, 25, 80, 443), while server applications not needing superuser privileges bind to ports in the range of 1024 - 49151.

What about client applications? A browser initiates a http connection to the server’s address on tcp port 80, but what source port does the browser use? By convention, a client should use a random port in the range of 49152 - 65535.

How does this convention of server port numbers being different than client port numbers match up against the ACLs? Let’s take the case of a browser on host 192.168.5.2 connecting to the web server on 192.168.4.2. The tcp session is initiated to dest 192.168.4.2 port 80, with source  192.168.5.2 and let’s say port 54321 (randomly assigned by OS).

The initial SYN packet from 192.168.5.2/54321 to 192.168.4.2/80 is permitted by the interface VLAN 5 in-ACL statement “permit tcp 192.168.5.2 0.0.0.0 192.168.4.2 0.0.0.0 80”. Host 192.168.4.2 will attempt to return a tcp SYN/ACK packet to 192.168.5.2/54321, however, this will be denied by the int VLAN 4 in-ACL statement “deny ip 192.168.4.0 0.0.0.255 any”. 

So, how do you deal with client port numbers? Many years ago, router administrators just permitted all tcp port numbers >1023. Later, ACLs started supporting matching against the tcp ACK flag via the “established” keyword. Use your favorite search engine to dig into access control entries which permit packets based on the “established” keyword. 

Disclaimer: I am long in CSCO
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card