Help with simple access list rule

Answered Question
Apr 1st, 2008

Hi, I have a cisco 877 at home. I can get to the CLI from work, but need to access a PC via VNC that's on behind the routers access lists.

The inbound access list is 101 and I want to allow my works external IP of through the firewall on TCP port 5900 to only.

Is this possible, if so how might this look?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Collin Clark Tue, 04/01/2008 - 06:19

ip access-list 101 permit tcp host host eq 5900

Then apply it to the interface

interface Dialer1 (or what ever your outside interface is)

ip access-group 101 in

In case you don't have your NAT translation built yet:

ip nat inside source static tcp [inside address] 5900 interface Dialer1 5900


As this is at home, do you have a static address from your provider, or are you just overloading everything to your dialler interface? If you are just natting to your dialler this should work.

First set up a static nat for that tcp port from your inside address on port 5900 to your dialler interface port 5900.

ip nat inside source static tcp 5900 interface dialer1 5900

Then add a new entry into access-list 101 to permit tcp 5900 from your source address to any. It doesn't matter that it is to any, as the only host that will be mapping to port 5900 will be the host specified in the static nat statement. You will need to remember to put this statement in prior to any deny statements you currently have in the acl.

access-list 101 permit tcp any eq 5900

Hope this helps


whiteford Tue, 04/01/2008 - 06:31

Hi Martin.

i don't have a staic IP I have to use dynamic DNS to get round this. (local PC with VNC) (external Ip of work)


ip nat inside source static tcp 5900 interface dialer1 5900


access-list 101 permit tcp any eq 5900

I gained access! although the desktop is just a black screen only but that might be the PC. I might try RDP which I think is 3389.

whiteford Tue, 04/01/2008 - 06:41

One last thing Martin have you used the SDM before? Just thought I'd have a look at the firewall settings in there and I see none of my CLI access-list 101 rules in there. It just says access-list 101 is empty even though the CLI shows them.

Strange eh or normal?

whiteford Tue, 04/01/2008 - 12:05

Just one other rule I need to have is I need to be able to the SDM on the router from my work on port 443. How would this look and do I also need a NAT?

Collin Clark Tue, 04/01/2008 - 12:14

You don't need a NAT (because your going directly to the device itself).

access-list 101 permit tcp host any eq 443

Collin Clark Tue, 04/01/2008 - 06:43

Check your MTU. If you're using DSL you will need to lower it to something like 1410 (maybe lower).

Under your inside interface(s)

ip tcp adjust-mss 1410


whiteford Tue, 04/01/2008 - 06:47


I have is set to:

ip tcp adjust-mss 1450

Can this create a problem?

Collin Clark Tue, 04/01/2008 - 07:09

VNC/RDP/CITRIX don't like fragmented packets and a typical result of a fragmented packet for those applications is a connection, but a black screen.


This Discussion