FWSW - put access-list

Unanswered Question
Feb 22nd, 2007

Hi all,

I have an interface: operation (address network: Now, at FWSM: I have 2 rule for Operation network:

1. access-list acl_mdc_operation_nat0 extended permit ip any

2. access-list acl_mdc_operation_access extended permit ip any any

3. access-group acl_mdc_operation_access in interface operation

Now, I want 6 computers in operation ( to can connect to any and other computers ( to 253)in operation can connect to 6 computer by VNC. I have done 2 things:

1. I create 2 block : Operation Admin ( - 6) and Operation Network (

2. I put access-list:

- access-list acl_mdc_operation_access extended permit ip operation-admin any

- access-list acl_mdc_operation_access extended permit tcp operation-network operation-admin eq 5900

I don't know it is correct?

If you know, please answer me early

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
wdrootz Wed, 02/28/2007 - 12:30

There are lot many things that go for configuring a firewall for VNC connection. Although, your configuration looks fine and should work.

If it doesnt I suggest you to use EchoVNC which can be found here


It doesnt require anything to be changed on firewall or router. Try it before making any changes to your firewall.

Other option, if you decide not to work with EchoVNC, and your above config is not working is to run an SSH client on your VNC Server, you can setup a tunnel that bypasses the firewall protecting your server. The key is to use a "remote port forward", or "reverse tunnel", initiated beforehand from an SSH client running on the target VNC Server. You'll need to connect that SSH client to an external machine which is running an SSH server. This SSH server should be any machine that can easily be reached by the VNC Viewer machine (it can even be the VNC Viewer machine itself).

Once the tunnel is created, you simply point your VNC Viewer to the tunnel endpoint you created on your SSH Server, and the data will find it's way back through the SSH tunnel to the SSH client, and so into the VNC Server.

mylove142 Thu, 03/01/2007 - 05:00

Hi all,

I want to creat an access-list:

soure destination service


Now, I want to create a service VNC in FWSM. I only know source port is 5900, what is about destination port? If you know, please answer me early.

mylove142 Sun, 03/04/2007 - 06:06

Hi all,

I have a rule:

Source Dest Service Interface

Any Any IP Operation

Now, I have 20 computer in Operation. I divide Operation into 2 group: A (from Computer 1 to 6) and B (from Computer 7 to 20). First, I want 6 computers in Group A can connect to any divices in company, 13 computers in Group B can connect to Group A by using VNC and can connect to any devices (through Group A).

I configure:

Source Dest Service Interface

A Any IP Operation

B A port 5900 Operation

However, all computer in Group B can't connect to Internet. I want all computer in Group B can connect to Internet. How can I configure? If you understand, please answer me.

Thank you very much.



This Discussion