Access list on Cisco 3750 1

[kunz12]

Guys -

I have a stack of switches (3750) that have multiple vlan's on them. One of the VLAN's has an access list applied to it in the "in" direction. The ACL has the following entries. The VLAN is numbered 101.

10 permit udp host 65.70.71.72 any eq snmp
20 permit udp host 65.70.71.74 any eq snmp
30 permit icmp any any
40 deny ip any any

The VLAN has an IP address of 65.70.71.76.

I am connecting to this stack of switches from another corporate site thru the MPLS cloud. When I try to access a server with IP address of 65.70.71.78 through RDP (port 3389), I am unable to connect. I added the following ACE to the ACL.

35 permit tcp host 65.70.71.78 host 172.16.111.248 eq 3389(172.16.111.248 is my IP)

However when I add the following, I am able to connect through RDP fine.

35 per ip host 65.70.71.78 host 172.16.111.248

RDP uses port 3389, so not sure why adding just the first statement did not work.

Any thoughts?

Thanks!

 

[vipergg]

It worked because you opened it up , your connection is port 3389 going towards the device but i believe your reply port will be a random port number assigned by the application to the connection so when you opened it up without the the port number it worked.
Seeing the acl is "in" that means it is applied to data coming off the subnet so that port number could be a random reply port number , you would need a sniffer to confirm but thats my guess.

 

[maczen]

Viper,
Is this correct?

Client chooses random port 1024 - 65k (TCP for connection)
Client chooses that port number plus one (UDP for listening)

So initially this killed it.. (No TCP or UDP)
10 permit udp host 65.70.71.72 any eq snmp
20 permit udp host 65.70.71.74 any eq snmp
30 permit icmp any any
40 deny ip any any

Then he added this but it did not account for the UDP necessary for the listening client so no return traffic..
35 permit tcp host 65.70.71.78 host 172.16.111.248 eq 3389

But by adding IP he has sucessfully added UDP as well... And the router takes care of the rest of the traffic flow..
35 permit ip host 65.70.71.78 host 172.16.111.248

By the way you can check that TCP and UDP are running with a 'netstat -an' or capture with wireshark and verify each portion of the handshaking process...

I will add my usual disclaimer here.. Wait for the Pro's for confirmation!!!

B Haines
CCNA R&S, ETA FOI

 

[maczen]

I bet if you sniff with this back in place you will see traffic getting out...

35 permit tcp host 65.70.71.78 host 172.16.111.248 eq 3389

But not coming back in!

B Haines
CCNA R&S, ETA FOI

 

[kunz12]

I modified the ACL to the following and now it works:

permit tcp host 65.70.71.78 eq 3389 host 172.16.111.248

I guess the connection coming back from the server has a source port of 3389 and a random destionation port generated on the PC.

Thanks for your help guys!!

 

[burtsbees]

That's right.

Burt

 

[maczen]

Hey kunz12,
If you have a chance would you post that complete ACL? I am curious now.. LoL

B Haines
CCNA R&S, ETA FOI

 

[burtsbees]

OK guys---I was the LEAST helpful...why the star? I mean thanks, but...huh?

Burt

 

[kunz12]

Maczen - here's the complete ACL. Hope it helps!

10 permit udp host 65.70.71.72 any eq snmp
20 permit udp host 65.70.71.74 any eq snmp
30 permit icmp any any
35 permit tcp host 65.70.71.78 eq 3389 host 172.16.111.248
40 deny ip any any