07-29-2013 02:16 AM - edited 03-07-2019 02:38 PM
hello all,
i'm trying to grant access to a shared folder in seperated vlan. but it does not work. no connection possible. any idea?
systems are both win7 (without any firewall restriction etc.)
vlan 1 (normal office vlan) to vlan 2 (seperated vlan)
interface Vlan2
description LAB
ip address 10.10.12.249 255.255.255.0
ip access-group vlan2in in
no ip redirects
no ip unreachables
no ip route-cache cef
no ip route-cache
no ip mroute-cache
standby 2 ip 10.10.12.254
standby 2 priority 50
standby 2 preempt
ip access-list extended vlan2in
permit udp 10.10.12.0 0.0.0.255 host 224.0.0.2
permit tcp 10.10.12.0 0.0.0.255 any eq 445
permit udp 10.10.12.0 0.0.0.255any eq 445
permit tcp 10.10.12.0 0.0.0.255 eq 3389 any gt 1023 *This is working
permit icmp any any log
07-29-2013 04:02 AM
Hi Christian,
you need to add the following to your ACL:
permit udp 10.10.12.0 0.0.0.255 any range 135 139
permit tcp 10.10.12.0 0.0.0.255 any range 135 139
...this will allow the MS SMB traffic.
cheers,
Seb.
07-29-2013 04:22 AM
hi seb,
tx for your answer.
i already tried to add these lines to acl but nothing changed here.
ip access-list extended vlan2in
permit udp 10.10.12.0 0.0.0.255 host 244.0.0.2
permit udp 10.10.12.0 0.0.0.255 any range 135 netbios-ss
permit tcp 10.10.12.0 0.0.0.255 any range 135 139
permit tcp 10.10.12.0 0.0.0.255 any eq 445
permit udp 10.10.12.0 0.0.0.255 any eq 445
deny ip any any
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-IPBASEK9-M), Version 15.0(2)SG1
07-29-2013 04:56 AM
...actually, aren't the source and destination decleartions the wrong way round on your ACL?
Since traffic is incoming to VLAN 2, then the destination should be 10.10.12.0 /24 , so:
permit udp any 10.10.12.0 0.0.0.255 range 135 139
permit tcp any 10.10.12.0 0.0.0.255 range 135 139
deny ip any any log
...the 'log' is added to you can see what exactly is being dropped.
07-29-2013 06:22 AM
indeed you are right. this was the wrong direction...but it's still not work. how can i see the log?
07-29-2013 07:40 AM
Try the following global config:
logging buffered 6
...try to access your PCs a few times, then do a:
sh log
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide