04-01-2008 06:09 AM - edited 03-03-2019 09:21 PM
Hi, I have a cisco 877 at home. I can get to the CLI from work, but need to access a PC via VNC that's on behind the routers access lists.
The inbound access list is 101 and I want to allow my works external IP of 1.2.3.4 through the firewall on TCP port 5900 to 1.2.3.5 only.
Is this possible, if so how might this look?
Solved! Go to Solution.
04-01-2008 06:34 AM
04-01-2008 06:19 AM
ip access-list 101 permit tcp host 1.2.3.4 host 1.2.3.5 eq 5900
Then apply it to the interface
interface Dialer1 (or what ever your outside interface is)
ip access-group 101 in
In case you don't have your NAT translation built yet:
ip nat inside source static tcp [inside address] 5900 interface Dialer1 5900
HTH
04-01-2008 06:22 AM
As this is at home, do you have a static address from your provider, or are you just overloading everything to your dialler interface? If you are just natting to your dialler this should work.
First set up a static nat for that tcp port from your inside address on port 5900 to your dialler interface port 5900.
ip nat inside source static tcp 1.2.3.5 5900 interface dialer1 5900
Then add a new entry into access-list 101 to permit tcp 5900 from your source address to any. It doesn't matter that it is to any, as the only host that will be mapping to port 5900 will be the host specified in the static nat statement. You will need to remember to put this statement in prior to any deny statements you currently have in the acl.
access-list 101 permit tcp 1.2.3.4 any eq 5900
Hope this helps
Martin
04-01-2008 06:31 AM
Hi Martin.
i don't have a staic IP I have to use dynamic DNS to get round this.
1.2.3.5 (local PC with VNC)
1.2.3.4 (external Ip of work)
Added:
ip nat inside source static tcp 1.2.3.5 5900 interface dialer1 5900
and
access-list 101 permit tcp 1.2.3.4 any eq 5900
I gained access! although the desktop is just a black screen only but that might be the PC. I might try RDP which I think is 3389.
04-01-2008 06:34 AM
Good luck, let me know if you still have issues.
Martin
04-01-2008 06:41 AM
One last thing Martin have you used the SDM before? Just thought I'd have a look at the firewall settings in there and I see none of my CLI access-list 101 rules in there. It just says access-list 101 is empty even though the CLI shows them.
Strange eh or normal?
04-01-2008 06:44 AM
Hi, I have always tried to avoid the SDM. I know I probably shouldn't.
When I got my 877W, I formatted the flash: to get rid of it, and then slapped my image back on. Wrote my own outside_in acl, and used cbac to open the holes I didn't need to bang in statically.
Martin
04-01-2008 06:47 AM
What is cbac? Sounds useful...
04-01-2008 07:08 AM
Hi Andrew
Context Based Access Control
http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/secconf.html
04-01-2008 12:05 PM
Just one other rule I need to have is I need to be able to the SDM on the router from my work on port 443. How would this look and do I also need a NAT?
04-01-2008 12:14 PM
You don't need a NAT (because your going directly to the device itself).
access-list 101 permit tcp host 1.2.3.4 any eq 443
04-01-2008 06:43 AM
Check your MTU. If you're using DSL you will need to lower it to something like 1410 (maybe lower).
Under your inside interface(s)
ip tcp adjust-mss 1410
HTH
04-01-2008 06:47 AM
Hi,
I have is set to:
ip tcp adjust-mss 1450
Can this create a problem?
04-01-2008 07:09 AM
VNC/RDP/CITRIX don't like fragmented packets and a typical result of a fragmented packet for those applications is a connection, but a black screen.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: