Help with simple access list rule

Answered Question
Apr 1st, 2008
User Badges:

Hi, I have a cisco 877 at home. I can get to the CLI from work, but need to access a PC via VNC that's on behind the routers access lists.


The inbound access list is 101 and I want to allow my works external IP of 1.2.3.4 through the firewall on TCP port 5900 to 1.2.3.5 only.


Is this possible, if so how might this look?

Correct Answer by Martin Parry about 9 years 1 month ago

Good luck, let me know if you still have issues.


Martin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Collin Clark Tue, 04/01/2008 - 06:19
User Badges:
  • Purple, 4500 points or more

ip access-list 101 permit tcp host 1.2.3.4 host 1.2.3.5 eq 5900


Then apply it to the interface

interface Dialer1 (or what ever your outside interface is)

ip access-group 101 in


In case you don't have your NAT translation built yet:


ip nat inside source static tcp [inside address] 5900 interface Dialer1 5900



HTH

Martin Parry Tue, 04/01/2008 - 06:22
User Badges:
  • Silver, 250 points or more

As this is at home, do you have a static address from your provider, or are you just overloading everything to your dialler interface? If you are just natting to your dialler this should work.


First set up a static nat for that tcp port from your inside address on port 5900 to your dialler interface port 5900.


ip nat inside source static tcp 1.2.3.5 5900 interface dialer1 5900


Then add a new entry into access-list 101 to permit tcp 5900 from your source address to any. It doesn't matter that it is to any, as the only host that will be mapping to port 5900 will be the host specified in the static nat statement. You will need to remember to put this statement in prior to any deny statements you currently have in the acl.


access-list 101 permit tcp 1.2.3.4 any eq 5900


Hope this helps


Martin

whiteford Tue, 04/01/2008 - 06:31
User Badges:

Hi Martin.


i don't have a staic IP I have to use dynamic DNS to get round this.


1.2.3.5 (local PC with VNC)

1.2.3.4 (external Ip of work)


Added:


ip nat inside source static tcp 1.2.3.5 5900 interface dialer1 5900


and


access-list 101 permit tcp 1.2.3.4 any eq 5900



I gained access! although the desktop is just a black screen only but that might be the PC. I might try RDP which I think is 3389.

Correct Answer
Martin Parry Tue, 04/01/2008 - 06:34
User Badges:
  • Silver, 250 points or more

Good luck, let me know if you still have issues.


Martin

whiteford Tue, 04/01/2008 - 06:41
User Badges:

One last thing Martin have you used the SDM before? Just thought I'd have a look at the firewall settings in there and I see none of my CLI access-list 101 rules in there. It just says access-list 101 is empty even though the CLI shows them.


Strange eh or normal?

Martin Parry Tue, 04/01/2008 - 06:44
User Badges:
  • Silver, 250 points or more

Hi, I have always tried to avoid the SDM. I know I probably shouldn't.


When I got my 877W, I formatted the flash: to get rid of it, and then slapped my image back on. Wrote my own outside_in acl, and used cbac to open the holes I didn't need to bang in statically.


Martin

whiteford Tue, 04/01/2008 - 12:05
User Badges:

Just one other rule I need to have is I need to be able to the SDM on the router from my work on port 443. How would this look and do I also need a NAT?

Collin Clark Tue, 04/01/2008 - 12:14
User Badges:
  • Purple, 4500 points or more

You don't need a NAT (because your going directly to the device itself).


access-list 101 permit tcp host 1.2.3.4 any eq 443


Collin Clark Tue, 04/01/2008 - 06:43
User Badges:
  • Purple, 4500 points or more

Check your MTU. If you're using DSL you will need to lower it to something like 1410 (maybe lower).


Under your inside interface(s)

ip tcp adjust-mss 1410


HTH

whiteford Tue, 04/01/2008 - 06:47
User Badges:

Hi,


I have is set to:


ip tcp adjust-mss 1450


Can this create a problem?

Collin Clark Tue, 04/01/2008 - 07:09
User Badges:
  • Purple, 4500 points or more

VNC/RDP/CITRIX don't like fragmented packets and a typical result of a fragmented packet for those applications is a connection, but a black screen.

Actions

This Discussion