cancel
Showing results for 
Search instead for 
Did you mean: 

Troubleshoot an RDP ACL

Troubleshoot an RDP ACL

Abhishek_Potdar
New Contributor
Hello All,

I am trying to create an ACL where certain subnets can RDP "port 3389" into a different subnet's hosts. While other devices can't RDP to that certain subnet. I am pasting the ACL, I have created. Basically, 10.8.7.X subnet should be able to RDP into 10.18.111.X subnet using port 3389. while other subnets should get denied.
I have applied the policy to the uplink port along with the 10.18.111.X vlan but with no luck, seems like the policy is ignoring my deny rules. What am I missing here? 

Policies at Policy Server:
Policy: rdp
entry RDP-allow {
if match all {
source-address 10.8.7.0/24 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
permit ;
}
}
entry default-deny {
if match all {
source-address 0.0.0.0/0 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
deny ;
}
}
Number of clients bound to policy: 1
Client: acl bound once
4 REPLIES 4

Gabriel_G
Extreme Employee
Hello,

source-port tcp is not a valid match condition. You can find all possible match conditions and their inputs in the EXOS User Guide page 769:
https://documentation.extremenetworks.com/exos_31.7/downloads/EXOS_User_Guide_31.7.pdf

AdrianO
Contributor
I don´t think that "source-port tcp;" is correct. With the "protocol tcp;" condition is sufficient.

Abhishek_Potdar
New Contributor
Updated the policy to add counters 
entry rDP-allow {
if match all {
source-address 10.8.7.0/24 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
permit ;
count allow_acl ;
}
}
entry default-deny {
if match all {
source-address 0.0.0.0/0 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
deny ;
count deny_acl ;
}
}
Number of clients bound to policy: 1
Client: acl bound once

Applied the policy to any port any vlan yet the counter number is not increasing?

DR-Core.4 # show access-list
Vlan Name Port Policy Name Dir Rules Dyn Rules
===================================================================
* * rdp ingress 2 0
* * rdp egress 2 0

DR-Core.4 # show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
rdp * * ingress
allow_acl 0
deny_acl 0


CThompsonEXOS
Extreme Employee
Hi,

Can you apply counters to both ACLs and then "refresh policy <policy name>"?

That will see which rule they are hitting.  ACLs are done in hardware so generally we see that the traffic isn't flowing how we think it is rather then ACLs ignoring entries/deny statements.

Thanks,
Chris Thompson
GTM-P2G8KFN