Troubleshoot an RDP ACL
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-11-2022 01:15 AM
Hello All,
I am trying to create an ACL where certain subnets can RDP "port 3389" into a different subnet's hosts. While other devices can't RDP to that certain subnet. I am pasting the ACL, I have created. Basically, 10.8.7.X subnet should be able to RDP into 10.18.111.X subnet using port 3389. while other subnets should get denied.
I have applied the policy to the uplink port along with the 10.18.111.X vlan but with no luck, seems like the policy is ignoring my deny rules. What am I missing here?
Policies at Policy Server:
Policy: rdp
entry RDP-allow {
if match all {
source-address 10.8.7.0/24 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
permit ;
}
}
entry default-deny {
if match all {
source-address 0.0.0.0/0 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
deny ;
}
}
Number of clients bound to policy: 1
Client: acl bound once
I am trying to create an ACL where certain subnets can RDP "port 3389" into a different subnet's hosts. While other devices can't RDP to that certain subnet. I am pasting the ACL, I have created. Basically, 10.8.7.X subnet should be able to RDP into 10.18.111.X subnet using port 3389. while other subnets should get denied.
I have applied the policy to the uplink port along with the 10.18.111.X vlan but with no luck, seems like the policy is ignoring my deny rules. What am I missing here?
Policies at Policy Server:
Policy: rdp
entry RDP-allow {
if match all {
source-address 10.8.7.0/24 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
permit ;
}
}
entry default-deny {
if match all {
source-address 0.0.0.0/0 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
deny ;
}
}
Number of clients bound to policy: 1
Client: acl bound once
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-13-2022 09:28 AM
Hello,
source-port tcp is not a valid match condition. You can find all possible match conditions and their inputs in the EXOS User Guide page 769:
https://documentation.extremenetworks.com/exos_31.7/downloads/EXOS_User_Guide_31.7.pdf
source-port tcp is not a valid match condition. You can find all possible match conditions and their inputs in the EXOS User Guide page 769:
https://documentation.extremenetworks.com/exos_31.7/downloads/EXOS_User_Guide_31.7.pdf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-12-2022 06:51 AM
I don´t think that "source-port tcp;" is correct. With the "protocol tcp;" condition is sufficient.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-11-2022 10:59 AM
Updated the policy to add counters
entry rDP-allow {
if match all {
source-address 10.8.7.0/24 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
permit ;
count allow_acl ;
}
}
entry default-deny {
if match all {
source-address 0.0.0.0/0 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
deny ;
count deny_acl ;
}
}
Number of clients bound to policy: 1
Client: acl bound once
Applied the policy to any port any vlan yet the counter number is not increasing?
DR-Core.4 # show access-list
Vlan Name Port Policy Name Dir Rules Dyn Rules
===================================================================
* * rdp ingress 2 0
* * rdp egress 2 0
DR-Core.4 # show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
rdp * * ingress
allow_acl 0
deny_acl 0
entry rDP-allow {
if match all {
source-address 10.8.7.0/24 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
permit ;
count allow_acl ;
}
}
entry default-deny {
if match all {
source-address 0.0.0.0/0 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
deny ;
count deny_acl ;
}
}
Number of clients bound to policy: 1
Client: acl bound once
Applied the policy to any port any vlan yet the counter number is not increasing?
DR-Core.4 # show access-list
Vlan Name Port Policy Name Dir Rules Dyn Rules
===================================================================
* * rdp ingress 2 0
* * rdp egress 2 0
DR-Core.4 # show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
rdp * * ingress
allow_acl 0
deny_acl 0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-11-2022 08:53 AM
Hi,
Can you apply counters to both ACLs and then "refresh policy <policy name>"?
That will see which rule they are hitting. ACLs are done in hardware so generally we see that the traffic isn't flowing how we think it is rather then ACLs ignoring entries/deny statements.
Thanks,
Chris Thompson
Can you apply counters to both ACLs and then "refresh policy <policy name>"?
That will see which rule they are hitting. ACLs are done in hardware so generally we see that the traffic isn't flowing how we think it is rather then ACLs ignoring entries/deny statements.
Thanks,
Chris Thompson
