MetsJetsVA
asked on
How to set up 871 for VNC access without VPN
I am trying to access workstations via VNC in our office when I am on the road and unable to connect to VPN. I am making an effort to access through port 5900 and have added this line in my router config
ip nat inside source static tcp 192.168.1.50 5900 interface FastEthernet4 5900
Unfortunately I am still not able to connect. Are there any other commands I need to send to router. I am a rookie at this and am afraid to damage the router config. Thank you for any help that can be offered.
ip nat inside source static tcp 192.168.1.50 5900 interface FastEthernet4 5900
Unfortunately I am still not able to connect. Are there any other commands I need to send to router. I am a rookie at this and am afraid to damage the router config. Thank you for any help that can be offered.
ASKER
Thank you for your response. I have added this command to the router and I am still unable to connect. Any more suggestions?
Are you trying to connect from a machine that's inside your network, or are you actually trying to connect from outside your network?
ASKER
Right now I am inside my network but my goal is to be able to connect from outside the network.
It's not working because you are trying to do it from inside your network. Your Cisco router won't let you "double back" like that. You need to actually try it from outside your network.
ASKER
Thank you again for responding. I will try from outside my network tomorrow and post the results tomorrow night.
OK. Before trying from outside the network: if you haven't done so already, make sure the VNC server is properly functioning on your target machine by using its LAN address from within your network, e.g.: http://192.168.1.150:5900
Can you please show us your running configuration?
ASKER
Thank you very much for replying. Here is the running config:
Building configuration...
Current configuration : 12387 bytes
!
! Last configuration change at 18:31:14 NewYork Mon Mar 29 2010 by lou1sa
! NVRAM config last updated at 22:02:40 NewYork Sun Mar 28 2010 by lou1sa
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname va871
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 51200 informational
logging console critical
enable secret 5 aljdkfAJJlkj332l34rj323kla
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip multicast-routing
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW icmp
!
!
crypto pki trustpoint TP-self-signed-1716552704
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1716552704
!
!
crypto pki certificate chain TP-self-signed-1716552704
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373136 35353237 3034301E 170D3036 30343235 30323439
34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37313635
35323730 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009326 4A6FD4E3 B496A127 6FFB0978 AEFCCBE3 FB9D98CB 487C1B6A 7698C933
4DD916A4 2B5C1835 9987C0AB D545C190 4BB176E7 2C16B4EE 11AC726D 37DEB94C
2CE6270F 267AE2EE 79F3F305 F3C96334 84D2AD84 29516F18 53C16ADB 78608B44
8E2270F7 0A306DBA E83C5A23 B5E3F94B F784AC31 5404F056 68DAB8B8 4484F6E7
26F70203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 14766138 37312E79 6F757264 6F6D6169 6E2E636F 6D301F06
03551D23 04183016 8014275B 8D4DB455 447178B9 902BDA7F EF01D969 4D23301D
0603551D 0E041604 14275B8D 4DB45544 7178B990 2BDA7FEF 01D9694D 23300D06
092A8648 86F70D01 01040500 03818100 91205B66 59911D39 37A62108 23927D32
EE971132 A498A127 1DCD1A67 59D24EE6 D7EE446E D2276DCC FDF10A8C DEE8870E
381444EE 85F380E0 3C07400D E41A8FE7 4351FF28 AD761C48 6E51621F 9FCEFD95
9A9BC17C 8A155690 3F627274 628A664F BA0A35F8 B9449567 F8663503 3AB3D996
74CA92C9 45677B7F 1CE9AD18 F0EDDEA5
quit
username adkfj4la secret 5 adfjkjl;kj$;lalkfjkdaf 892-2.
username adf32s privilege 15 secret 5 aqdfdaf8wer33w2s22sdf344
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key 954123874216afasdfeasdfeea
crypto isakmp key 954123874216afasdfeasdfeea
crypto isakmp key 954123874216afasdfeasdfeea
crypto isakmp key 954123874216afasdfeasdfeea
crypto isakmp key 954123874216afasdfeasdfeea
crypto isakmp key 954123874216afasdfeasdfeea
crypto isakmp key 954123874216afasdfeasdfeea
crypto isakmp key 954123874216afasdfeasdfeea
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group allied
key 8492641332211343afd2adfdfa
dns 192.168.1.32 205.171.3.65
wins 192.168.1.32
domain alliedbrass.local
pool SDM_POOL_1
acl 101
include-local-lan
!
!
crypto ipsec transform-set Client esp-des esp-md5-hmac
crypto ipsec transform-set DMVPN esp-des esp-md5-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set DMVPN
!
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 3600
set transform-set Client
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface Tunnel0
bandwidth 1400
ip address 10.0.1.1 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
no ip next-hop-self eigrp 1
ip pim dense-mode
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
no ip mroute-cache
delay 1000
qos pre-classify
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 13131313
tunnel protection ipsec profile SDM_Profile1
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
bandwidth 1536
ip address 65.114.164.106 255.255.255.248
ip access-group 100 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim dense-mode
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
router eigrp 1
network 10.0.0.0 0.0.255.255
network 192.168.1.0
no auto-summary
!
ip local pool SDM_POOL_1 192.168.10.1 192.168.10.14
ip route 0.0.0.0 0.0.0.0 65.114.164.105
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip pim bidir-enable
ip nat inside source static tcp 192.168.1.50 5900 interface FastEthernet4 5900
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap notifications
logging 192.168.1.190
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.1.190
access-list 1 permit any
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.10.0 0.0.0.15 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.15 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.15 any
access-list 100 permit gre any host 65.114.164.106
access-list 100 permit tcp any host 65.114.164.106 eq 22
access-list 100 permit tcp any host 65.114.164.106 eq 443
access-list 100 permit tcp any host 65.114.164.106 eq cmd
access-list 100 deny tcp any host 65.114.164.106 eq telnet
access-list 100 deny tcp any host 65.114.164.106 eq www
access-list 100 deny udp any host 65.114.164.106 eq snmp
access-list 100 permit udp any host 65.114.164.106 eq non500-isakmp
access-list 100 permit udp any host 65.114.164.106 eq isakmp
access-list 100 permit esp any host 65.114.164.106
access-list 100 permit ahp any host 65.114.164.106
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.10.0 0.0.0.15 192.168.0.0 0.0.255.255
access-list 100 remark Auto generated by SDM for NTP (123) 129.7.1.66
access-list 100 permit udp host 129.7.1.66 eq ntp host 65.114.164.106 eq ntp
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip host 0.0.0.0 any
access-list 100 deny ip any any
access-list 100 permit tcp any host 65.114.164.106 eq 5900
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit tcp any host 65.114.164.106 eq 5900
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp any any eq 5900
access-list 102 permit ip host 192.168.1.54 any
access-list 102 permit tcp host 192.168.1.190 host 192.168.1.1 eq telnet
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet
access-list 102 permit tcp host 192.168.1.190 host 192.168.1.1 eq 22
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 22
access-list 102 permit tcp host 192.168.1.190 host 192.168.1.1 eq www
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq www
access-list 102 permit tcp host 192.168.1.190 host 192.168.1.1 eq 443
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 443
access-list 102 permit tcp host 192.168.1.190 host 192.168.1.1 eq cmd
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq cmd
access-list 102 deny tcp any host 192.168.1.1 eq telnet
access-list 102 deny tcp any host 192.168.1.1 eq 22
access-list 102 deny tcp any host 192.168.1.1 eq www
access-list 102 deny tcp any host 192.168.1.1 eq 443
access-list 102 deny tcp any host 192.168.1.1 eq cmd
access-list 102 deny udp any host 192.168.1.1 eq snmp
access-list 102 remark Auto generated by SDM for NTP (123) 129.7.1.66
access-list 102 permit udp host 129.7.1.66 eq ntp host 192.168.1.1 eq ntp
access-list 102 deny ip 65.114.164.104 0.0.0.7 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark SDM_ACL Category=17
access-list 103 permit ip host 192.168.1.190 any
access-list 103 permit ip any any
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 192.168.2.0 0.0.0.255 any
access-list 108 remark PAT Rule
access-list 108 remark SDM_ACL Category=2
access-list 108 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.15
access-list 108 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.15
access-list 108 deny ip any 192.168.10.0 0.0.0.15
access-list 108 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 108 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 108 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 108
!
!
control-plane
!
banner login ^CThis is a private system, Unauthorized access is strictly prohibited. All access is monitored and unauthorized access attempts may be prosecuted to the fullest extent of the law. Have a nice day.^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 103 in
login authentication sdm_vpn_xauth_ml_2
transport input telnet ssh
transport output telnet
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175232
ntp server 129.7.1.66 source FastEthernet4 prefer
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Building configuration...
Current configuration : 12387 bytes
!
! Last configuration change at 18:31:14 NewYork Mon Mar 29 2010 by lou1sa
! NVRAM config last updated at 22:02:40 NewYork Sun Mar 28 2010 by lou1sa
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname va871
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 51200 informational
logging console critical
enable secret 5 aljdkfAJJlkj332l34rj323kla
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip multicast-routing
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW icmp
!
!
crypto pki trustpoint TP-self-signed-1716552704
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1716552704
!
!
crypto pki certificate chain TP-self-signed-1716552704
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373136 35353237 3034301E 170D3036 30343235 30323439
34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37313635
35323730 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009326 4A6FD4E3 B496A127 6FFB0978 AEFCCBE3 FB9D98CB 487C1B6A 7698C933
4DD916A4 2B5C1835 9987C0AB D545C190 4BB176E7 2C16B4EE 11AC726D 37DEB94C
2CE6270F 267AE2EE 79F3F305 F3C96334 84D2AD84 29516F18 53C16ADB 78608B44
8E2270F7 0A306DBA E83C5A23 B5E3F94B F784AC31 5404F056 68DAB8B8 4484F6E7
26F70203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 14766138 37312E79 6F757264 6F6D6169 6E2E636F 6D301F06
03551D23 04183016 8014275B 8D4DB455 447178B9 902BDA7F EF01D969 4D23301D
0603551D 0E041604 14275B8D 4DB45544 7178B990 2BDA7FEF 01D9694D 23300D06
092A8648 86F70D01 01040500 03818100 91205B66 59911D39 37A62108 23927D32
EE971132 A498A127 1DCD1A67 59D24EE6 D7EE446E D2276DCC FDF10A8C DEE8870E
381444EE 85F380E0 3C07400D E41A8FE7 4351FF28 AD761C48 6E51621F 9FCEFD95
9A9BC17C 8A155690 3F627274 628A664F BA0A35F8 B9449567 F8663503 3AB3D996
74CA92C9 45677B7F 1CE9AD18 F0EDDEA5
quit
username adkfj4la secret 5 adfjkjl;kj$;lalkfjkdaf 892-2.
username adf32s privilege 15 secret 5 aqdfdaf8wer33w2s22sdf344
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key 954123874216afasdfeasdfeea
crypto isakmp key 954123874216afasdfeasdfeea
crypto isakmp key 954123874216afasdfeasdfeea
crypto isakmp key 954123874216afasdfeasdfeea
crypto isakmp key 954123874216afasdfeasdfeea
crypto isakmp key 954123874216afasdfeasdfeea
crypto isakmp key 954123874216afasdfeasdfeea
crypto isakmp key 954123874216afasdfeasdfeea
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group allied
key 8492641332211343afd2adfdfa
dns 192.168.1.32 205.171.3.65
wins 192.168.1.32
domain alliedbrass.local
pool SDM_POOL_1
acl 101
include-local-lan
!
!
crypto ipsec transform-set Client esp-des esp-md5-hmac
crypto ipsec transform-set DMVPN esp-des esp-md5-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set DMVPN
!
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 3600
set transform-set Client
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface Tunnel0
bandwidth 1400
ip address 10.0.1.1 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
no ip next-hop-self eigrp 1
ip pim dense-mode
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
no ip mroute-cache
delay 1000
qos pre-classify
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 13131313
tunnel protection ipsec profile SDM_Profile1
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
bandwidth 1536
ip address 65.114.164.106 255.255.255.248
ip access-group 100 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim dense-mode
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
router eigrp 1
network 10.0.0.0 0.0.255.255
network 192.168.1.0
no auto-summary
!
ip local pool SDM_POOL_1 192.168.10.1 192.168.10.14
ip route 0.0.0.0 0.0.0.0 65.114.164.105
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip pim bidir-enable
ip nat inside source static tcp 192.168.1.50 5900 interface FastEthernet4 5900
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap notifications
logging 192.168.1.190
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.1.190
access-list 1 permit any
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.10.0 0.0.0.15 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.15 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.15 any
access-list 100 permit gre any host 65.114.164.106
access-list 100 permit tcp any host 65.114.164.106 eq 22
access-list 100 permit tcp any host 65.114.164.106 eq 443
access-list 100 permit tcp any host 65.114.164.106 eq cmd
access-list 100 deny tcp any host 65.114.164.106 eq telnet
access-list 100 deny tcp any host 65.114.164.106 eq www
access-list 100 deny udp any host 65.114.164.106 eq snmp
access-list 100 permit udp any host 65.114.164.106 eq non500-isakmp
access-list 100 permit udp any host 65.114.164.106 eq isakmp
access-list 100 permit esp any host 65.114.164.106
access-list 100 permit ahp any host 65.114.164.106
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.10.0 0.0.0.15 192.168.0.0 0.0.255.255
access-list 100 remark Auto generated by SDM for NTP (123) 129.7.1.66
access-list 100 permit udp host 129.7.1.66 eq ntp host 65.114.164.106 eq ntp
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip host 0.0.0.0 any
access-list 100 deny ip any any
access-list 100 permit tcp any host 65.114.164.106 eq 5900
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit tcp any host 65.114.164.106 eq 5900
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp any any eq 5900
access-list 102 permit ip host 192.168.1.54 any
access-list 102 permit tcp host 192.168.1.190 host 192.168.1.1 eq telnet
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet
access-list 102 permit tcp host 192.168.1.190 host 192.168.1.1 eq 22
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 22
access-list 102 permit tcp host 192.168.1.190 host 192.168.1.1 eq www
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq www
access-list 102 permit tcp host 192.168.1.190 host 192.168.1.1 eq 443
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 443
access-list 102 permit tcp host 192.168.1.190 host 192.168.1.1 eq cmd
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq cmd
access-list 102 deny tcp any host 192.168.1.1 eq telnet
access-list 102 deny tcp any host 192.168.1.1 eq 22
access-list 102 deny tcp any host 192.168.1.1 eq www
access-list 102 deny tcp any host 192.168.1.1 eq 443
access-list 102 deny tcp any host 192.168.1.1 eq cmd
access-list 102 deny udp any host 192.168.1.1 eq snmp
access-list 102 remark Auto generated by SDM for NTP (123) 129.7.1.66
access-list 102 permit udp host 129.7.1.66 eq ntp host 192.168.1.1 eq ntp
access-list 102 deny ip 65.114.164.104 0.0.0.7 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark SDM_ACL Category=17
access-list 103 permit ip host 192.168.1.190 any
access-list 103 permit ip any any
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 192.168.2.0 0.0.0.255 any
access-list 108 remark PAT Rule
access-list 108 remark SDM_ACL Category=2
access-list 108 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.15
access-list 108 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.15
access-list 108 deny ip any 192.168.10.0 0.0.0.15
access-list 108 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 108 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 108 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 108
!
!
control-plane
!
banner login ^CThis is a private system, Unauthorized access is strictly prohibited. All access is monitored and unauthorized access attempts may be prosecuted to the fullest extent of the law. Have a nice day.^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 103 in
login authentication sdm_vpn_xauth_ml_2
transport input telnet ssh
transport output telnet
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175232
ntp server 129.7.1.66 source FastEthernet4 prefer
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
You'll need to add these two lines:
access-list 100 remark Permit VNC traffic
access-list 100 permit tcp any host host 65.114.164.106 eq 5900
However, because you have this line "access-list 100 deny ip any any" at the end of your ACL you cannot simply copy and paste the above lines, and, because your using a numbered ACL as opposed to a named ACL, you cannot insert the two lines above the deny line. In short, what you will need to do is this:
- You'll need to take a copy of the ACL and slot my two lines above somewhere near the top
- You'll then need to issue the "no access-list 100" command
- You will then need to paste your copy of the ACL back in in to the router (which will have my two lines included).
Here is an example (I have included my two commands on the 6th and 7th line below):
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.10.0 0.0.0.15 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.15 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.15 any
access-list 100 remark Permit VNC traffic
access-list 100 permit tcp any host host 65.114.164.106 eq 5900
access-list 100 permit gre any host 65.114.164.106
access-list 100 permit tcp any host 65.114.164.106 eq 22
access-list 100 permit tcp any host 65.114.164.106 eq 443
access-list 100 permit tcp any host 65.114.164.106 eq cmd
access-list 100 deny tcp any host 65.114.164.106 eq telnet
access-list 100 deny tcp any host 65.114.164.106 eq www
access-list 100 deny udp any host 65.114.164.106 eq snmp
access-list 100 permit udp any host 65.114.164.106 eq non500-isakmp
access-list 100 permit udp any host 65.114.164.106 eq isakmp
access-list 100 permit esp any host 65.114.164.106
access-list 100 permit ahp any host 65.114.164.106
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.10.0 0.0.0.15 192.168.0.0 0.0.255.255
access-list 100 remark Auto generated by SDM for NTP (123) 129.7.1.66
access-list 100 permit udp host 129.7.1.66 eq ntp host 65.114.164.106 eq ntp
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip host 0.0.0.0 any
access-list 100 deny ip any any
By the way, my ACL allows ANYONE to VNC in to your server, do you have specific IP addresses you can use instead? The reason why I ask is because allowing anyone VNC access to your server is not secure and people who have done this before have been hacked.
access-list 100 remark Permit VNC traffic
access-list 100 permit tcp any host host 65.114.164.106 eq 5900
However, because you have this line "access-list 100 deny ip any any" at the end of your ACL you cannot simply copy and paste the above lines, and, because your using a numbered ACL as opposed to a named ACL, you cannot insert the two lines above the deny line. In short, what you will need to do is this:
- You'll need to take a copy of the ACL and slot my two lines above somewhere near the top
- You'll then need to issue the "no access-list 100" command
- You will then need to paste your copy of the ACL back in in to the router (which will have my two lines included).
Here is an example (I have included my two commands on the 6th and 7th line below):
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.10.0 0.0.0.15 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.15 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.15 any
access-list 100 remark Permit VNC traffic
access-list 100 permit tcp any host host 65.114.164.106 eq 5900
access-list 100 permit gre any host 65.114.164.106
access-list 100 permit tcp any host 65.114.164.106 eq 22
access-list 100 permit tcp any host 65.114.164.106 eq 443
access-list 100 permit tcp any host 65.114.164.106 eq cmd
access-list 100 deny tcp any host 65.114.164.106 eq telnet
access-list 100 deny tcp any host 65.114.164.106 eq www
access-list 100 deny udp any host 65.114.164.106 eq snmp
access-list 100 permit udp any host 65.114.164.106 eq non500-isakmp
access-list 100 permit udp any host 65.114.164.106 eq isakmp
access-list 100 permit esp any host 65.114.164.106
access-list 100 permit ahp any host 65.114.164.106
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.10.0 0.0.0.15 192.168.0.0 0.0.255.255
access-list 100 remark Auto generated by SDM for NTP (123) 129.7.1.66
access-list 100 permit udp host 129.7.1.66 eq ntp host 65.114.164.106 eq ntp
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip host 0.0.0.0 any
access-list 100 deny ip any any
By the way, my ACL allows ANYONE to VNC in to your server, do you have specific IP addresses you can use instead? The reason why I ask is because allowing anyone VNC access to your server is not secure and people who have done this before have been hacked.
ASKER
Thank you very much for getting back to me on this. Before I post this to the router if you could let me know if there is anything I can do about the security risk it would be greatly appreciated.
See this page, http://www.ciscoblog.com/2006/12/configuring-a-c.html , it is a blog post in a Cisco Blog that I regularly. The host allowed RDP and VNC traffic out on to the internet and was hacked, so he decided to write a blog post about how the two protocols securely, however, it involves a VPN which I believe you already have?
See this page, http://www.ciscoblog.com/2006/12/configuring-a-c.html , it is a blog post in a Cisco Blog that I regularly. The host allowed RDP and VNC traffic out on to the internet and was hacked, so he decided to write a blog post about how the two protocols securely, however, it involves a VPN which I believe you already have for other purposes?
"I am trying to access workstations via VNC in our office when I am on the road and unable to connect to VPN."
Is there a reason why you cannot VPN in when you are out of the office?
"I am trying to access workstations via VNC in our office when I am on the road and unable to connect to VPN."
Is there a reason why you cannot VPN in when you are out of the office?
ASKER
Thanks again for getting back to me. I am trying to allow access with handheld devices via VNC and I cannot establish a VPN with the handheld so I thought that an IP VNC might be a good solution. If you have an alternative suggestion that would be great.
I have tried to issue the no access-list command above and then pasting the Access list you provided. I thought I would just take a quick look and see if that took care of the problem. Unfortunately I am not able to paste the code back into the router. It seems to disconnect after pasting about 4 lines. I have tried with both Tera Term and Hyperterminal. Any suggestions.
Once again thanks for your help
I have tried to issue the no access-list command above and then pasting the Access list you provided. I thought I would just take a quick look and see if that took care of the problem. Unfortunately I am not able to paste the code back into the router. It seems to disconnect after pasting about 4 lines. I have tried with both Tera Term and Hyperterminal. Any suggestions.
Once again thanks for your help
Not a problem, I'm glad I am able to help.
Are you sure it is disconnecting you? What happens if you keep pressing enter?
Are you pasting the lines locally (directly connected to the router through a LAN cable or console cable) or are you trying to connect remotely (through a VPN connection?)
Also, try pasting the ACL in small parts, e.g four lines at a time. The programs that people use to access their routers have buffers, so if you try to paste too much in one go, the program will not allow it.
Also, does the router keep disconnecting at the same line in the ACL? If so, what line is it?
Are you sure it is disconnecting you? What happens if you keep pressing enter?
Are you pasting the lines locally (directly connected to the router through a LAN cable or console cable) or are you trying to connect remotely (through a VPN connection?)
Also, try pasting the ACL in small parts, e.g four lines at a time. The programs that people use to access their routers have buffers, so if you try to paste too much in one go, the program will not allow it.
Also, does the router keep disconnecting at the same line in the ACL? If so, what line is it?
ASKER
Thanks again and it is really great that you volunteer your time to help guys like me!
In the status bar on the bottom of terminal it shows disconnected. I did try pressing enter a number of times and that did not help.
I am pasting the lines at a remote site through a VPN. If you feel I should try this when I am local I will work on it when I am in the office, although that will probably not be until next week some time.
It was freezing after line 3 and sometimes it got to line 4 in the code you gave me to paste.
Is there a workaround other than the link you gave me for the security risk. If not maybe I should scrap the idea of connecting in this way. Please let me know your opinion.
Thanks
In the status bar on the bottom of terminal it shows disconnected. I did try pressing enter a number of times and that did not help.
I am pasting the lines at a remote site through a VPN. If you feel I should try this when I am local I will work on it when I am in the office, although that will probably not be until next week some time.
It was freezing after line 3 and sometimes it got to line 4 in the code you gave me to paste.
Is there a workaround other than the link you gave me for the security risk. If not maybe I should scrap the idea of connecting in this way. Please let me know your opinion.
Thanks
Not a problem at all, I am glad to help everyone out where ever I can :)
hmm, lines three and four were part of your existing ACL so should paste AOK. How are you re-gaining access to the router after you get disconnected?
To be honest, if the remote devices cannot VPN or perform some sort of secure connection, then you should scrap the idea. It just isn't worth the risk.
What devices are you using? Do they have any VPN clients for them? Also, perhaps take a look at sites like http://www.logmein.com - basically it allows you to VPN in just by going to a website, so you don't need to do anything over the top to set it up. (Well you do need to install a client on the PC(s) you want to connect to).
Another alternative that we've used (here in Australia, but I'm sure other countries would have it too), we use mobile SIM cards for 3G connections and our ISP allows us to use an "APN" (access point name, basically a wireless profile) that when used, it automatically creates an encrypted VPN connection to our office, perhaps your ISP could do the same?
Let me know what you think :)
hmm, lines three and four were part of your existing ACL so should paste AOK. How are you re-gaining access to the router after you get disconnected?
To be honest, if the remote devices cannot VPN or perform some sort of secure connection, then you should scrap the idea. It just isn't worth the risk.
What devices are you using? Do they have any VPN clients for them? Also, perhaps take a look at sites like http://www.logmein.com - basically it allows you to VPN in just by going to a website, so you don't need to do anything over the top to set it up. (Well you do need to install a client on the PC(s) you want to connect to).
Another alternative that we've used (here in Australia, but I'm sure other countries would have it too), we use mobile SIM cards for 3G connections and our ISP allows us to use an "APN" (access point name, basically a wireless profile) that when used, it automatically creates an encrypted VPN connection to our office, perhaps your ISP could do the same?
Let me know what you think :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Put me in the right direction. Really appreciate the help and having this forum available.
Thanks for the points buddy, I'm glad I could help!
access-list 101 permit tcp any host [insert your WAN IP ADDRESS] eq 5900