basic ACL VNC question

mark-bear · ‎09-13-2007

Hi,

We have a test network that is partitioned off the production network via a routed connection and ACLs.

But a VNC session needs to be allowed from the test network to production network AND from production to test network.

The ACL will have to be 'any source' and 'any destination' networks, and I was going to use an INbound and an OUTbound ACL on the same interface from/to the test network (ie with a destination port eq 5900).

For example:

ip access-group 100

permit tcp any any eq 5900

deny ip any any

But if I apply above ACL to the egress/ingress interface to the test network, it will stop VNC traffic altogether (ie because there will not be a match for VNC data for the return conversation (will not match port 5900)).

Without purchasing a firewall, is there anyway I can apply a VNC ACL BOTHWAY filter.

Thanks in anticipation.

regards

Mark

Pavel Bykov · ‎09-14-2007

Try this instead:

ip access-list extended VNC-LIST

permit tcp any any range 5900 5910

permit tcp any range 5900 5910 any

permit tcp any any range 5800 5810

permit tcp any range 5800 5810 any

permit tcp any any range 5500 5510

permit tcp any range 5500 5510 any

and apply it both ways.

This ACL is per this document: http://faq.gotomyvnc.com/fom-serve/cache/52.html

It allows up to 11 VNC sessions to any machine, and it allows communication BOTH WAYS (you have allowed only one way communication).

Hope this helps.

Please rate all helpful posts.

mark-bear · ‎09-14-2007

Thanks,

This works a treat.

Not only that I've learnt something - wish is always good.

Thanks alot for your help.

regards

mark