cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
521
Views
0
Helpful
13
Replies

Help with simple access list rule

whiteford
Level 1
Level 1

Hi, I have a cisco 877 at home. I can get to the CLI from work, but need to access a PC via VNC that's on behind the routers access lists.

The inbound access list is 101 and I want to allow my works external IP of 1.2.3.4 through the firewall on TCP port 5900 to 1.2.3.5 only.

Is this possible, if so how might this look?

1 Accepted Solution

Accepted Solutions

Good luck, let me know if you still have issues.

Martin

View solution in original post

13 Replies 13

Collin Clark
VIP Alumni
VIP Alumni

ip access-list 101 permit tcp host 1.2.3.4 host 1.2.3.5 eq 5900

Then apply it to the interface

interface Dialer1 (or what ever your outside interface is)

ip access-group 101 in

In case you don't have your NAT translation built yet:

ip nat inside source static tcp [inside address] 5900 interface Dialer1 5900

HTH

Martin Parry
Level 3
Level 3

As this is at home, do you have a static address from your provider, or are you just overloading everything to your dialler interface? If you are just natting to your dialler this should work.

First set up a static nat for that tcp port from your inside address on port 5900 to your dialler interface port 5900.

ip nat inside source static tcp 1.2.3.5 5900 interface dialer1 5900

Then add a new entry into access-list 101 to permit tcp 5900 from your source address to any. It doesn't matter that it is to any, as the only host that will be mapping to port 5900 will be the host specified in the static nat statement. You will need to remember to put this statement in prior to any deny statements you currently have in the acl.

access-list 101 permit tcp 1.2.3.4 any eq 5900

Hope this helps

Martin

Hi Martin.

i don't have a staic IP I have to use dynamic DNS to get round this.

1.2.3.5 (local PC with VNC)

1.2.3.4 (external Ip of work)

Added:

ip nat inside source static tcp 1.2.3.5 5900 interface dialer1 5900

and

access-list 101 permit tcp 1.2.3.4 any eq 5900

I gained access! although the desktop is just a black screen only but that might be the PC. I might try RDP which I think is 3389.

Good luck, let me know if you still have issues.

Martin

One last thing Martin have you used the SDM before? Just thought I'd have a look at the firewall settings in there and I see none of my CLI access-list 101 rules in there. It just says access-list 101 is empty even though the CLI shows them.

Strange eh or normal?

Hi, I have always tried to avoid the SDM. I know I probably shouldn't.

When I got my 877W, I formatted the flash: to get rid of it, and then slapped my image back on. Wrote my own outside_in acl, and used cbac to open the holes I didn't need to bang in statically.

Martin

What is cbac? Sounds useful...

Just one other rule I need to have is I need to be able to the SDM on the router from my work on port 443. How would this look and do I also need a NAT?

You don't need a NAT (because your going directly to the device itself).

access-list 101 permit tcp host 1.2.3.4 any eq 443

Check your MTU. If you're using DSL you will need to lower it to something like 1410 (maybe lower).

Under your inside interface(s)

ip tcp adjust-mss 1410

HTH

Hi,

I have is set to:

ip tcp adjust-mss 1450

Can this create a problem?

VNC/RDP/CITRIX don't like fragmented packets and a typical result of a fragmented packet for those applications is a connection, but a black screen.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: