Comware

This is on a J9851A.

I have the following ACL that is applied the vlan for network 10.3.4.0 as in. I had to do this to limit where people at our trainings could reach as far as internal resources. What i need to do is allow us to RDP to servers that live in this vlan.

ip access-list extended "Training Lab"
10 permit tcp 10.3.4.0 0.0.0.255 192.168.0.77 0.0.0.0 eq 53
15 permit udp 10.3.4.0 0.0.0.255 192.168.0.77 0.0.0.0 eq 53
20 permit tcp 10.3.4.0 0.0.0.255 192.168.0.97 0.0.0.0 eq 53
25 permit udp 10.3.4.0 0.0.0.255 192.168.0.97 0.0.0.0 eq 53
30 permit udp 10.3.4.0 0.0.0.255 192.168.0.77 0.0.0.0 eq 68
40 permit udp 10.3.4.0 0.0.0.255 192.168.0.97 0.0.0.0 eq 68
50 permit tcp 10.3.4.0 0.0.0.255 192.168.0.29 0.0.0.0 eq 80
60 permit tcp 10.3.4.0 0.0.0.255 192.168.0.29 0.0.0.0 eq 443
70 permit tcp 10.3.4.0 0.0.0.255 192.168.0.20 0.0.0.0 eq 80
80 permit tcp 10.3.4.0 0.0.0.255 192.168.0.20 0.0.0.0 eq 443
90 permit tcp 10.3.4.0 0.0.0.255 192.168.0.125 0.0.0.0 eq 80
100 permit tcp 10.3.4.0 0.0.0.255 192.168.0.125 0.0.0.0 eq 443
110 permit tcp 10.3.4.0 0.0.0.255 192.168.0.51 0.0.0.0 eq 80
120 permit tcp 10.3.4.0 0.0.0.255 192.168.0.51 0.0.0.0 eq 553
130 permit tcp 10.3.4.0 0.0.0.255 192.168.0.51 0.0.0.0 eq 443
140 permit tcp 10.3.4.0 0.0.0.255 192.168.0.145 0.0.0.0 eq 80
150 permit tcp 10.3.4.0 0.0.0.255 192.168.0.145 0.0.0.0 eq 443
160 permit tcp 10.3.4.0 0.0.0.255 192.168.200.31 0.0.0.0 eq 80
170 permit tcp 10.3.4.0 0.0.0.255 192.168.200.31 0.0.0.0 eq 443
180 permit tcp 10.3.4.0 0.0.0.255 192.168.200.145 0.0.0.0 eq 80
190 permit tcp 10.3.4.0 0.0.0.255 192.168.200.145 0.0.0.0 eq 443
195 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 3389
200 deny ip 10.3.4.0 0.0.0.255 192.168.0.0 255.255.0.0
210 deny ip 10.3.4.0 0.0.0.255 10.0.0.0 255.0.0.0
220 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
230 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443
240 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 2001
250 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 7001
260 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 4001
270 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 6001
280 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 1194
290 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 123
300 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 22
310 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 8080
320 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
330 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53

I thought rule 195 would allow that and it doesn't.  I have also tried this as well with no success:

permit tcp 192.168.250.0 0.0.0.255  10.3.4.0 0.0.0.255  eq 3389

Do I need to change how the ACL is applied to that vlan?

Thank you,

Eric

Hi Eric,

Since your Extended ACL "Training Lab" is applied against in(coming) traffic reaching the Router - your Switch - from the VLAN id related to subnet 10.3.4.0/24 then the ACE 195 you're referring to:

195 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 3389

seems strange because it means that ANY source to ANY destination will be permitted on TCP 3389 incoming into your 10.3.4.0/24 VLAN's SVI (so for traffic seen as ingressing into the Core Switch performing the routing originated into the VLAN subnet)...if I read it correctly...it means that you're allowing any IP address to go to any IP address to perform RDP (TCP/3389)...this would include for sure any 10.3.4.0/24 host to perform RDP against any other hosts outside that specific VLAN.

Hope to have not misunderstood your description.