Solved

How to block everything except VNC

Posted on 2007-11-25
2
802 Views
Last Modified: 2013-11-30
I've got this setup:
Computer 172.20.0.2 ---> FastEthernet0/2 172.20.0.1
Computers 192.168.104.0/24 ---> same switch, Vlan1 192.168.104.182
I'm trying to connect to the 192.168.104.0-machines using VNC

Here's the running cisco config:
no aaa new-model
ip subnet-zero
ip routing
!
ip multicast-routing distributed
no ip igmp snooping
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
<snip>
interface FastEthernet0/2
 description VNC
 no switchport
 ip address 172.20.0.1 255.255.255.0
 ip access-group 100 in
 ip access-group 100 out
 ip pim sparse-dense-mode
!
<snip>
!
interface Vlan1
 ip address 192.168.104.182 255.255.255.0
!
ip classless
ip http server
!
!
access-list 100 permit tcp any any eq 5900
<snip>

I am unable to connect from 172.20.0.2 to any of the machines on the other side. However if I remove 'ip access-group 100 out' everything is working.

tcpdump gives me this (on VNC server machine)
19:04:49.243010 IP 172.20.0.2.42928 > RCWP-1.5900: S 4244700870:4244700870(0) win 5840 <mss 1460,sackOK,timestamp 1317510 0,nop,wscale 5>
19:04:49.243028 IP RCWP-1.5900 > 172.20.0.2.42928: S 3510928067:3510928067(0) ack 4244700871 win 5792 <mss 1460,sackOK,timestamp 381899240 1317510,nop,wscale 6>
 
I understand that it is trying to use port 42928 (changing number) but I do not understand why. Anyone out there with some knowledge about this that could help me out?
0
Comment
Question by:johnnybaluba
2 Comments
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 20346458
I don't know the VNC product, but I'm guessing that like almost all other applications, the source port is randomly selected. Try creating a second ACL for the return traffic. I may have the directions reversed since I'm not familiar with the application so you may need to swap the in/out.

 ip access-group 100 in
 ip access-group 101 out

access-list 100 permit tcp any any eq 5900
access-list 101 permit tcp any eq 5900 any
0
 

Author Comment

by:johnnybaluba
ID: 20346672
That seemed to work. I'll do some more testing tomorrow before I clsoe this. Thanks for the input.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As an IT person for a call center we are always looking for tools to make our jobs easier. Well I found the ultimate application for the job. SmartCode VNC Manager gets the job done. Its easy to get up and running just run the wizard to pul…
Like many organizations, your foray into cloud computing may have started with an ancillary or security service, like email spam and virus protection. For some, the first or second step into the cloud was moving email off-premise. For others, a clou…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now