Solved

How to block everything except VNC

Posted on 2007-11-25
2
805 Views
Last Modified: 2013-11-30
I've got this setup:
Computer 172.20.0.2 ---> FastEthernet0/2 172.20.0.1
Computers 192.168.104.0/24 ---> same switch, Vlan1 192.168.104.182
I'm trying to connect to the 192.168.104.0-machines using VNC

Here's the running cisco config:
no aaa new-model
ip subnet-zero
ip routing
!
ip multicast-routing distributed
no ip igmp snooping
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
<snip>
interface FastEthernet0/2
 description VNC
 no switchport
 ip address 172.20.0.1 255.255.255.0
 ip access-group 100 in
 ip access-group 100 out
 ip pim sparse-dense-mode
!
<snip>
!
interface Vlan1
 ip address 192.168.104.182 255.255.255.0
!
ip classless
ip http server
!
!
access-list 100 permit tcp any any eq 5900
<snip>

I am unable to connect from 172.20.0.2 to any of the machines on the other side. However if I remove 'ip access-group 100 out' everything is working.

tcpdump gives me this (on VNC server machine)
19:04:49.243010 IP 172.20.0.2.42928 > RCWP-1.5900: S 4244700870:4244700870(0) win 5840 <mss 1460,sackOK,timestamp 1317510 0,nop,wscale 5>
19:04:49.243028 IP RCWP-1.5900 > 172.20.0.2.42928: S 3510928067:3510928067(0) ack 4244700871 win 5792 <mss 1460,sackOK,timestamp 381899240 1317510,nop,wscale 6>
 
I understand that it is trying to use port 42928 (changing number) but I do not understand why. Anyone out there with some knowledge about this that could help me out?
0
Comment
Question by:johnnybaluba
2 Comments
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 20346458
I don't know the VNC product, but I'm guessing that like almost all other applications, the source port is randomly selected. Try creating a second ACL for the return traffic. I may have the directions reversed since I'm not familiar with the application so you may need to swap the in/out.

 ip access-group 100 in
 ip access-group 101 out

access-list 100 permit tcp any any eq 5900
access-list 101 permit tcp any eq 5900 any
0
 

Author Comment

by:johnnybaluba
ID: 20346672
That seemed to work. I'll do some more testing tomorrow before I clsoe this. Thanks for the input.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Multicast on 3750x cisco router 1 45
Customized VNC 1 36
Need some help with Cisco 3750 switch configuration 8 42
Install additional HP switch 1 45
The worst thing when starting a new job is when the previous Network Administrator left behind no documentation. How do you get into the devices? If you've been in this situation or just accidently mistyped your password, this article will hopefully…
Local Printing Using Remote Desktop Windows 7 sometimes has issues with printing to a local printer using a Remote Desktop Connection (RDC). The 1st step is to verify that printers are checked on the Local Resources tab of the Remote Desktop C…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question