Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

FWSW - put access-list

Hi all,

I have an interface: operation (address network: Now, at FWSM: I have 2 rule for Operation network:

1. access-list acl_mdc_operation_nat0 extended permit ip any

2. access-list acl_mdc_operation_access extended permit ip any any

3. access-group acl_mdc_operation_access in interface operation

Now, I want 6 computers in operation ( to can connect to any and other computers ( to 253)in operation can connect to 6 computer by VNC. I have done 2 things:

1. I create 2 block : Operation Admin ( - 6) and Operation Network (

2. I put access-list:

- access-list acl_mdc_operation_access extended permit ip operation-admin any

- access-list acl_mdc_operation_access extended permit tcp operation-network operation-admin eq 5900

I don't know it is correct?

If you know, please answer me early


Re: FWSW - put access-list

There are lot many things that go for configuring a firewall for VNC connection. Although, your configuration looks fine and should work.

If it doesnt I suggest you to use EchoVNC which can be found here

It doesnt require anything to be changed on firewall or router. Try it before making any changes to your firewall.

Other option, if you decide not to work with EchoVNC, and your above config is not working is to run an SSH client on your VNC Server, you can setup a tunnel that bypasses the firewall protecting your server. The key is to use a "remote port forward", or "reverse tunnel", initiated beforehand from an SSH client running on the target VNC Server. You'll need to connect that SSH client to an external machine which is running an SSH server. This SSH server should be any machine that can easily be reached by the VNC Viewer machine (it can even be the VNC Viewer machine itself).

Once the tunnel is created, you simply point your VNC Viewer to the tunnel endpoint you created on your SSH Server, and the data will find it's way back through the SSH tunnel to the SSH client, and so into the VNC Server.

New Member

Re: FWSW - put access-list

Hi all,

I want to creat an access-list:

soure destination service


Now, I want to create a service VNC in FWSM. I only know source port is 5900, what is about destination port? If you know, please answer me early.

New Member

Re: FWSW - put access-list

Hi all,

I have a rule:

Source Dest Service Interface

Any Any IP Operation

Now, I have 20 computer in Operation. I divide Operation into 2 group: A (from Computer 1 to 6) and B (from Computer 7 to 20). First, I want 6 computers in Group A can connect to any divices in company, 13 computers in Group B can connect to Group A by using VNC and can connect to any devices (through Group A).

I configure:

Source Dest Service Interface

A Any IP Operation

B A port 5900 Operation

However, all computer in Group B can't connect to Internet. I want all computer in Group B can connect to Internet. How can I configure? If you understand, please answer me.

Thank you very much.


CreatePlease to create content