Port forwarding not working properly

Answered Question
May 5th, 2011

All I want to do is  have VNC connect on port 5950. So I want to forward traffic coming in  on the external ip address on port 5950 an internal ip address on port  5950. Here is my config:

Building configuration...

Current configuration : 21370 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ****_****
!
boot-start-marker
boot system flash:c181x-adventerprisek9-mz.124-24.T4.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$r7hB$KVZ6CCm1U.n5.i4K8UHNq0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime -7
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-4112746227
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4112746227
revocation-check none
rsakeypair TP-self-signed-4112746227
!
!
crypto pki certificate chain TP-self-signed-4112746227
certificate self-signed 01
  30820256 308201BF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34313132 37343632 3237301E 170D3131 30353034 32313036
  30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313237
  34363232 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100E019 5ECA9061 1B264BA9 00CB9644 F55859F7 E8B62916 11FF750C C1F84F99
  BB531024 D90BDF1A C4FE5841 7FC2F512 4B62F7B9 455C58D8 DFF4EE80 42EB09AE
  50BF3B90 275BF68D 01D18313 CE3BC743 E0BA0AED F1DC5214 2F2DB892 B3877BCC
  0668D120 499FE43A C54B0E79 39459CAD 8C5ADB85 29F24C6B 1C2C06E3 47DC26DC
  42450203 010001A3 7E307C30 0F060355 1D130101 FF040530 030101FF 30290603
  551D1104 22302082 1E4C6574 68627269 6467655F 53434144 412E3138 342E3731
  2E323031 2E363230 1F060355 1D230418 30168014 9F4E468D B29BD696 57D5DDD7
  00A6F8DC 4D7E289D 301D0603 551D0E04 1604149F 4E468DB2 9BD69657 D5DDD700
  A6F8DC4D 7E289D30 0D06092A 864886F7 0D010104 05000381 8100B6AC 3C24C20B
  D17F7078 751BF736 338B882F E24100D1 A1EECAF6 D71B850E B0174C2D 5A7CAEA5
  BB093DB4 114B75EE A9A80275 BCA107B1 61E18ADC 7F34731D 4E250248 73CB171D
  EC6CA528 A3C87A0B 35904459 5606512D 471C6C9F 870EB1A5 B38375E6 A2767E93
  5737E137 B7B8EA26 4B2B0672 4D748C75 3114EBE3 7F2A04DD 2728
        quit
dot11 syslog
no ip source-route
!
ip traffic-export profile test mode capture
  length 512
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.11.100.1 10.11.100.99
!
ip dhcp pool ccp-pool1
   import all
   network 10.11.100.0 255.255.255.0
   default-router 10.11.100.1
   dns-server 64.59.135.133 64.59.135.135
!
!
ip cef
no ip bootp server
ip domain name ######
ip name-server 64.59.135.133
ip name-server 64.59.135.135
ip port-map user-protocol--1 port tcp 5950
ip inspect log drop-pkt
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username administrator privilege 15 secret 5 $1$PCU8$WEWuYVom7E7CRWqrp5HtK0
username VPNuser privilege 7 secret 5 $1$p7F5$CKtOgolWRmP26ySTmhUlx0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Cisco1811VPN address 142.179.172.39
crypto isakmp key Cisco1811VPN address 96.53.31.50
!
crypto isakmp client configuration group VPN_users
key Cisco1811VPN
pool ****_VPN
crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPN_users
   client authentication list ciscocp_vpn_xauth_ml_2
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA2
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to142.179.172.39
set peer 142.179.172.39
set transform-set ESP-3DES-SHA
match address 102
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to96.53.31.50
set peer 96.53.31.50
set transform-set ESP-3DES-SHA1
match address 106
!
crypto map SDM_CMAP_3 1 ipsec-isakmp
description Tunnel to96.53.31.50
set peer 96.53.31.50
set transform-set ESP-3DES-SHA3
match address 111
!
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
no ip rcmd domain-lookup
ip rcmd rcp-enable
ip rcmd remote-host sdmRe1578d5c 10.11.100.92 Le1578d5c enable
ip rcmd remote-username sdmRe1578d5c
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 104
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 109
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 107
class-map type inspect match-all sdm-cls-VPNOutsideToInside-5
match access-group 112
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
match access-group 110
class-map type inspect match-all sdm-cls-VPNOutsideToInside-7
match access-group 115
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group name VNC_Port_Forwarding
match protocol user-protocol--1
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-all sdm-cls-VPNOutsideToInside-6
match access-group 113
class-map type inspect match-all sdm-cls-VPNOutsideToInside-9
match access-group 117
class-map type inspect match-all sdm-cls-VPNOutsideToInside-8
match access-group 118
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all CCP_SSLVPN
match access-group name SDM_IP
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 101
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 103
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ICMP
match protocol icmp
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-all SDM_VPN_PT2
match access-group 116
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all SDM_VPN_PT0
match access-group 108
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all SDM_VPN_PT1
match access-group 114
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any Ping
match protocol icmp
class-map type inspect match-all sdm-cls-VPNOutsideToInside-10
match access-group 119
class-map type inspect match-all sdm-cls-VPNOutsideToInside-11
match access-group 120
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-all ccp-cls-ccp-permit-2
match class-map Ping
match access-group name Ping
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map ICMP
match access-group name ICMP
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-cls-sdm-permit-ip-1
match access-group name VNC
class-map type inspect match-all ssh
match access-group name ssh
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
  inspect
class class-default
  drop
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
class type inspect sdm-cls-VPNOutsideToInside-3
  inspect
class type inspect CCP_PPTP
  pass
class type inspect sdm-cls-VPNOutsideToInside-4
  inspect
class type inspect sdm-cls-VPNOutsideToInside-5
  inspect
class type inspect sdm-cls-VPNOutsideToInside-6
  pass
class type inspect sdm-cls-VPNOutsideToInside-7
  inspect
class type inspect sdm-cls-VPNOutsideToInside-8
  pass
class type inspect sdm-cls-VPNOutsideToInside-9
  inspect
class type inspect sdm-cls-VPNOutsideToInside-10
  inspect
class type inspect sdm-nat-user-protocol--1-1
  inspect
class type inspect sdm-cls-VPNOutsideToInside-11
  pass
class class-default
  drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
class class-default
  drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
  pass
class type inspect SDM_EASY_VPN_SERVER_PT
  pass
class class-default
  drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
  pass
class type inspect sdm-cls-VPNOutsideToInside-4
  inspect
class type inspect sdm-cls-VPNOutsideToInside-5
  inspect
class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone security sslvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-ezvpn-zone source sslvpn-zone destination ezvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-ezvpn-zone-sslvpn-zone source ezvpn-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
!
!
!
interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address ###### 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_3
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2
ip unnumbered FastEthernet0
zone-member security sslvpn-zone
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 10.11.100.1 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip local pool ****_VPN 10.11.100.50 10.11.100.99
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ######
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool VNC 10.11.100.10 10.11.100.10 netmask 255.255.255.0
ip nat inside source static tcp 10.11.100.10 5950 interface FastEthernet0 5950
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0 overload
!
ip access-list extended ICMP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended Ping
remark CCP_ACL Category=128
permit ip any any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended VNC
remark CCP_ACL Category=128
permit ip any host 10.11.100.10
ip access-list extended VNC_Port_Forwarding
remark CCP_ACL Category=2
permit tcp any eq 5950 host 10.11.100.10 eq 5950
ip access-list extended icmp
permit icmp any host 10.11.100.102
permit icmp host 10.11.100.102 any
permit ip any any
ip access-list extended ssh
permit tcp any any eq 22
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.11.100.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 184.71.201.60 0.0.0.3 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any host ######
access-list 101 permit ip any host 206.75.152.126
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host 142.179.172.39 any
access-list 103 permit ip host 96.53.31.50 any
access-list 104 remark CCP_ACL Category=0
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 105 remark CCP_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny   ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255
access-list 105 permit ip 10.11.100.0 0.0.0.255 any
access-list 106 remark CCP_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 107 remark CCP_ACL Category=0
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 108 remark CCP_ACL Category=128
access-list 108 permit ip host 96.53.31.50 any
access-list 109 remark CCP_ACL Category=0
access-list 109 remark IPSec Rule
access-list 109 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 110 remark CCP_ACL Category=0
access-list 110 remark IPSec Rule
access-list 110 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 111 remark CCP_ACL Category=4
access-list 111 remark IPSec Rule
access-list 111 permit ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255
access-list 112 remark CCP_ACL Category=0
access-list 112 remark IPSec Rule
access-list 112 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 113 remark CCP_ACL Category=0
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 114 remark CCP_ACL Category=128
access-list 114 permit ip host 96.53.31.50 any
access-list 115 remark CCP_ACL Category=0
access-list 115 remark IPSec Rule
access-list 115 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 116 remark CCP_ACL Category=128
access-list 116 permit ip host 96.53.31.50 any
access-list 117 remark CCP_ACL Category=0
access-list 117 remark IPSec Rule
access-list 117 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 118 remark CCP_ACL Category=0
access-list 118 remark IPSec Rule
access-list 118 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 119 remark CCP_ACL Category=0
access-list 119 remark IPSec Rule
access-list 119 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 120 remark CCP_ACL Category=0
access-list 120 remark IPSec Rule
access-list 120 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255
no cdp run

!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
route-map SDM_RMAP_2 permit 1
match ip address 105
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler interval 500
!
webvpn gateway gateway_1
ip address ###### port 443 
http-redirect port 80
ssl trustpoint TP-self-signed-4112746227
inservice
!
webvpn install svc flash:/webvpn/svc.pkg sequence 1
!
webvpn context ****_VPN
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group policy_1
   functions svc-enabled
   svc address-pool "****_VPN"
   svc keep-client-installed
   svc split include 10.11.100.0 255.255.255.0
   svc split include 10.11.101.0 255.255.255.0
virtual-template 2
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
inservice
!
end

I have this problem too.
0 votes
Correct Answer by Loren Kolnes about 2 years 11 months ago

Hi,

After reviewing your configuration it looks like the access-list "VNC_Port_Forwarding" is misconfigured. Can you remove the source port 5950 and test again?

ip access-list extended VNC_Port_Forwarding

permit tcp any host 10.11.100.10 eq 5950
no permit tcp any eq 5950 host 10.11.100.10 eq 5950

Thanks,

Loren

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
mayrojas Thu, 05/05/2011 - 11:56

Hello,

Would you please enable the ip inspect log drop-pkt and send us the logs when you try the connection, that will tell us which class-map is dropping the packet so we can modify it.

Cheers

Mike

jsandau@mpe.ca Thu, 05/05/2011 - 12:19

How would I enable the ip inspect log drop-pkt, and Where would I find the logs once it is enabled? (Sorry if these are dumb questions, I'm pretty new to cisco routers)

mayrojas Thu, 05/05/2011 - 12:28

Hi,

Like this

router# config t

router(config)# ip inspect log drop-pkt

router(config)# do term mon

Try the connection and the logs should appear on your Screen, to stop them

router(config)# do term no mon

Mike.

jsandau@mpe.ca Thu, 05/05/2011 - 12:40

here is the log form when I enabled to after I tried to connect via VNC:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

004165: *May  5 13:33:56.234 PCTime: %FW-6-DROP_PKT: Dropping Other session 70.6

5.224.1:67 255.255.255.255:68 on zone-pair ccp-zp-out-self class class-default d

ue to  DROP action found in policy-map with ip ident 0

004166: *May  5 13:34:16.398 PCTime: %FW-6-LOG_SUMMARY: 8 packets were dropped f

rom 70.65.224.1:67 => 255.255.255.255:68 (target:class)-(ccp-zp-out-self:class-d

efault)

004167: *May  5 13:34:34.182 PCTime: %FW-6-DROP_PKT: Dropping Other session 70.6

5.224.1:67 255.255.255.255:68 on zone-pair ccp-zp-out-self class class-default d

ue to  DROP action found in policy-map with ip ident 0

004168: *May  5 13:35:16.398 PCTime: %FW-6-LOG_SUMMARY: 8 packets were dropped f

rom 70.65.224.1:67 => 255.255.255.255:68 (target:class)-(ccp-zp-out-self:class-d

efault)

004169: *May  5 13:35:29.150 PCTime: %FW-6-DROP_PKT: Dropping Other session 70.6

5.224.1:67 255.255.255.255:68 on zone-pair ccp-zp-out-self class class-default d

ue to  DROP action found in policy-map with ip ident 0

004170: *May  5 13:36:07.638 PCTime: %FW-6-DROP_PKT: Dropping Other session 142.

179.171.145:51928 10.11.100.10:5950 on zone-pair ccp-zp-out-self class class-def

ault due to  DROP action found in policy-map with ip ident 0

004171: *May  5 13:36:16.398 PCTime: %FW-6-LOG_SUMMARY: 5 packets were dropped f

rom 70.65.224.1:67 => 255.255.255.255:68 (target:class)-(ccp-zp-out-self:class-d

efault)

004172: *May  5 13:36:16.398 PCTime: %FW-6-LOG_SUMMARY: 2 packets were dropped f

rom 142.179.171.145:51928 => 10.11.100.10:5950 (target:class)-(ccp-zp-out-self:c

lass-default)

004173: *May  5 13:36:42.126 PCTime: %FW-6-DROP_PKT: Dropping Other session 70.6

5.224.1:67 255.255.255.255:68 on zone-pair ccp-zp-out-self class class-default d

ue to  DROP action found in policy-map with ip ident 0

THe lat 2 entries (the bolded ones) appeared after I tried to connect with VNC.

mayrojas Thu, 05/05/2011 - 14:56

Pls remove the following command:

ip nat pool VNC 10.11.100.10 10.11.100.10 netmask 255.255.255.0

Thx

Mikey

jsandau@mpe.ca Thu, 05/05/2011 - 15:04

I typed in no ip nat pool VNC 10.11.100.10 10.11.100.10 netmask 255.255.255.0 at the terminal config, and it seems to have removed the ip nat entry, but I still vnc into the computer.

mayrojas Thu, 05/05/2011 - 15:50

Hi,

Can you take out the zone-pair from out to self just for testing purposes?

Mike

mayrojas Thu, 05/05/2011 - 16:05

router(config)#no zone-pair security ccp-zp-out-self source out-zone destination self

If after that it doesnt work, collect the logs again.

Mike

jsandau@mpe.ca Fri, 05/06/2011 - 07:28

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

What does the command no zone-pair security ccp-zp-out-self source out-zone destination self actually do? Because I was doing this over a remote connection and as soon as I entered the command I lost connection and havent been able to restore it.

mayrojas Fri, 05/06/2011 - 09:27

Hi,

It takes out the security policy from outside to the router, (connections to the router such as telnet, ssh etc). You shouldnt have any problems connecting to the router. However, if you are, you can still connect from the Inside, did the VNC worked?

Mike.

jsandau@mpe.ca Fri, 05/06/2011 - 10:10

VNC still isn't working from the outside. The site to site vpn the is set up (VPN to a 2nd office with a similar set up) is still working, but I can't ping the router from inside the site to site vpn. I can ping the internal computer with VINC on it (10.11.100.10), but I can't VNC into it.

mayrojas Fri, 05/06/2011 - 14:16

Can you try to ssh to the Outside IP of the router without connecting to VPN?

Mike

mayrojas Fri, 05/06/2011 - 15:46

That doesnt sound right... Can you try to remote desktop to one of the internal machines and do SSH or telnet to the route from the remote desktop?

Mike

Correct Answer
Loren Kolnes Thu, 05/05/2011 - 16:27

Hi,

After reviewing your configuration it looks like the access-list "VNC_Port_Forwarding" is misconfigured. Can you remove the source port 5950 and test again?

ip access-list extended VNC_Port_Forwarding

permit tcp any host 10.11.100.10 eq 5950
no permit tcp any eq 5950 host 10.11.100.10 eq 5950

Thanks,

Loren

Actions

Login or Register to take actions

This Discussion

Posted May 5, 2011 at 10:57 AM
Stats:
Replies:17 Avg. Rating:5
Views:879 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446