Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1614
Views
0
Helpful
5
Replies

vlan issue - permit access to shared folder

Christian Maus
Level 1
Level 1

‎07-29-2013 02:16 AM - edited ‎03-07-2019 02:38 PM

hello all,

i'm trying to grant access to a shared folder in seperated vlan. but it does not work. no connection possible. any idea?

systems are both win7 (without any firewall restriction etc.)

vlan 1 (normal office vlan) to vlan 2 (seperated vlan)

interface Vlan2

description LAB

ip address 10.10.12.249 255.255.255.0

ip access-group vlan2in in

no ip redirects

no ip unreachables

no ip route-cache cef

no ip route-cache

no ip mroute-cache

standby 2 ip 10.10.12.254

standby 2 priority 50

standby 2 preempt

ip access-list extended vlan2in

permit udp 10.10.12.0 0.0.0.255 host 224.0.0.2

permit tcp 10.10.12.0 0.0.0.255 any eq 445

permit udp 10.10.12.0 0.0.0.255any eq 445

permit tcp 10.10.12.0 0.0.0.255 eq 3389 any gt 1023   *This is working

permit icmp any any log

Labels:
0 Helpful
5 Replies 5

Seb Rupik
VIP Alumni
VIP Alumni

‎07-29-2013 04:02 AM

Hi Christian,

you need to add the following to your ACL:

permit udp 10.10.12.0 0.0.0.255 any range 135 139

permit tcp 10.10.12.0 0.0.0.255 any range 135 139

...this will allow the MS SMB traffic.

cheers,

Seb.

0 Helpful

Christian Maus
Level 1
Level 1
In response to Seb Rupik

‎07-29-2013 04:22 AM

hi seb,

tx for your answer.

i already tried to add these lines to acl but nothing changed here.

ip access-list extended vlan2in

permit udp 10.10.12.0 0.0.0.255 host 244.0.0.2

permit udp 10.10.12.0 0.0.0.255 any range 135 netbios-ss

permit tcp 10.10.12.0 0.0.0.255 any range 135 139

permit tcp 10.10.12.0 0.0.0.255 any eq 445

permit udp 10.10.12.0 0.0.0.255 any eq 445

deny   ip any any

Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-IPBASEK9-M), Version 15.0(2)SG1

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to Christian Maus

‎07-29-2013 04:56 AM

...actually, aren't the source and destination decleartions the wrong way round on your ACL?

Since traffic is incoming to VLAN 2, then the destination should be 10.10.12.0 /24 , so:

permit udp any 10.10.12.0 0.0.0.255 range 135 139

permit tcp any 10.10.12.0 0.0.0.255 range 135 139

deny ip any any log

...the 'log' is added to you can see what exactly is being dropped.

0 Helpful

Christian Maus
Level 1
Level 1
In response to Seb Rupik

‎07-29-2013 06:22 AM

indeed you are right. this was the wrong direction...but it's still not work. how can i see the log?

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to Christian Maus

‎07-29-2013 07:40 AM

Try the following global config:

logging buffered 6

...try to access your PCs a few times, then do a:

sh log

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card