?
Solved

How to block everything except VNC

Posted on 2007-11-25
2
Medium Priority
?
812 Views
Last Modified: 2013-11-30
I've got this setup:
Computer 172.20.0.2 ---> FastEthernet0/2 172.20.0.1
Computers 192.168.104.0/24 ---> same switch, Vlan1 192.168.104.182
I'm trying to connect to the 192.168.104.0-machines using VNC

Here's the running cisco config:
no aaa new-model
ip subnet-zero
ip routing
!
ip multicast-routing distributed
no ip igmp snooping
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
<snip>
interface FastEthernet0/2
 description VNC
 no switchport
 ip address 172.20.0.1 255.255.255.0
 ip access-group 100 in
 ip access-group 100 out
 ip pim sparse-dense-mode
!
<snip>
!
interface Vlan1
 ip address 192.168.104.182 255.255.255.0
!
ip classless
ip http server
!
!
access-list 100 permit tcp any any eq 5900
<snip>

I am unable to connect from 172.20.0.2 to any of the machines on the other side. However if I remove 'ip access-group 100 out' everything is working.

tcpdump gives me this (on VNC server machine)
19:04:49.243010 IP 172.20.0.2.42928 > RCWP-1.5900: S 4244700870:4244700870(0) win 5840 <mss 1460,sackOK,timestamp 1317510 0,nop,wscale 5>
19:04:49.243028 IP RCWP-1.5900 > 172.20.0.2.42928: S 3510928067:3510928067(0) ack 4244700871 win 5792 <mss 1460,sackOK,timestamp 381899240 1317510,nop,wscale 6>
 
I understand that it is trying to use port 42928 (changing number) but I do not understand why. Anyone out there with some knowledge about this that could help me out?
0
Comment
Question by:johnnybaluba
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 50

Accepted Solution

by:
Don Johnston earned 2000 total points
ID: 20346458
I don't know the VNC product, but I'm guessing that like almost all other applications, the source port is randomly selected. Try creating a second ACL for the return traffic. I may have the directions reversed since I'm not familiar with the application so you may need to swap the in/out.

 ip access-group 100 in
 ip access-group 101 out

access-list 100 permit tcp any any eq 5900
access-list 101 permit tcp any eq 5900 any
0
 

Author Comment

by:johnnybaluba
ID: 20346672
That seemed to work. I'll do some more testing tomorrow before I clsoe this. Thanks for the input.
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question