This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Troubleshoot an RDP ACL

Troubleshoot an RDP ACL

Abhishek_Potdar
New Contributor

‎05-11-2022 01:15 AM

Hello All,

I am trying to create an ACL where certain subnets can RDP "port 3389" into a different subnet's hosts. While other devices can't RDP to that certain subnet. I am pasting the ACL, I have created. Basically, 10.8.7.X subnet should be able to RDP into 10.18.111.X subnet using port 3389. while other subnets should get denied.
I have applied the policy to the uplink port along with the 10.18.111.X vlan but with no luck, seems like the policy is ignoring my deny rules. What am I missing here? 

Policies at Policy Server:
Policy: rdp
entry RDP-allow {
if match all {
source-address 10.8.7.0/24 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
permit ;
}
}
entry default-deny {
if match all {
source-address 0.0.0.0/0 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
deny ;
}
}
Number of clients bound to policy: 1
Client: acl bound once
0 Kudos
4 REPLIES 4

Gabriel_G
Extreme Employee

‎05-13-2022 09:28 AM

Hello,

source-port tcp is not a valid match condition. You can find all possible match conditions and their inputs in the EXOS User Guide page 769:
https://documentation.extremenetworks.com/exos_31.7/downloads/EXOS_User_Guide_31.7.pdf
0 Kudos

AdrianO
Contributor

‎05-12-2022 06:51 AM

I don´t think that "source-port tcp;" is correct. With the "protocol tcp;" condition is sufficient.
0 Kudos

Abhishek_Potdar
New Contributor

‎05-11-2022 10:59 AM

Updated the policy to add counters 
entry rDP-allow {
if match all {
source-address 10.8.7.0/24 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
permit ;
count allow_acl ;
}
}
entry default-deny {
if match all {
source-address 0.0.0.0/0 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
deny ;
count deny_acl ;
}
}
Number of clients bound to policy: 1
Client: acl bound once

Applied the policy to any port any vlan yet the counter number is not increasing?

DR-Core.4 # show access-list
Vlan Name Port Policy Name Dir Rules Dyn Rules
===================================================================
* * rdp ingress 2 0
* * rdp egress 2 0

DR-Core.4 # show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
rdp * * ingress
allow_acl 0
deny_acl 0


0 Kudos

CThompsonEXOS
Extreme Employee

‎05-11-2022 08:53 AM

Hi,

Can you apply counters to both ACLs and then "refresh policy <policy name>"?

That will see which rule they are hitting.  ACLs are done in hardware so generally we see that the traffic isn't flowing how we think it is rather then ACLs ignoring entries/deny statements.

Thanks,
Chris Thompson
0 Kudos
GTM-P2G8KFN