Solved

How to block everything except VNC

Posted on 2007-11-25
2
808 Views
Last Modified: 2013-11-30
I've got this setup:
Computer 172.20.0.2 ---> FastEthernet0/2 172.20.0.1
Computers 192.168.104.0/24 ---> same switch, Vlan1 192.168.104.182
I'm trying to connect to the 192.168.104.0-machines using VNC

Here's the running cisco config:
no aaa new-model
ip subnet-zero
ip routing
!
ip multicast-routing distributed
no ip igmp snooping
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
<snip>
interface FastEthernet0/2
 description VNC
 no switchport
 ip address 172.20.0.1 255.255.255.0
 ip access-group 100 in
 ip access-group 100 out
 ip pim sparse-dense-mode
!
<snip>
!
interface Vlan1
 ip address 192.168.104.182 255.255.255.0
!
ip classless
ip http server
!
!
access-list 100 permit tcp any any eq 5900
<snip>

I am unable to connect from 172.20.0.2 to any of the machines on the other side. However if I remove 'ip access-group 100 out' everything is working.

tcpdump gives me this (on VNC server machine)
19:04:49.243010 IP 172.20.0.2.42928 > RCWP-1.5900: S 4244700870:4244700870(0) win 5840 <mss 1460,sackOK,timestamp 1317510 0,nop,wscale 5>
19:04:49.243028 IP RCWP-1.5900 > 172.20.0.2.42928: S 3510928067:3510928067(0) ack 4244700871 win 5792 <mss 1460,sackOK,timestamp 381899240 1317510,nop,wscale 6>
 
I understand that it is trying to use port 42928 (changing number) but I do not understand why. Anyone out there with some knowledge about this that could help me out?
0
Comment
Question by:johnnybaluba
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 20346458
I don't know the VNC product, but I'm guessing that like almost all other applications, the source port is randomly selected. Try creating a second ACL for the return traffic. I may have the directions reversed since I'm not familiar with the application so you may need to swap the in/out.

 ip access-group 100 in
 ip access-group 101 out

access-list 100 permit tcp any any eq 5900
access-list 101 permit tcp any eq 5900 any
0
 

Author Comment

by:johnnybaluba
ID: 20346672
That seemed to work. I'll do some more testing tomorrow before I clsoe this. Thanks for the input.
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Haven’t we all been there – Mom (or Grandma) needs help on her computer, so calls her IT son (or grandson) for help.  Wouldn’t it be so much easier to just remotely connect to her computer and fix the thing rather than trying to go through it on the…
I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question