Re: need help configuring PIX 501 for VNC acess

miked_187 · ‎02-28-2014

Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

I need some help with determining the correct command line that will allow access for TightVNC into a single server 192.168.1.2 on the internal network on port 5900. I won't be running the web interface on 5800. The internal network is Windows based so I can use remote desktop off of .2 to connect to other desktops in the office

I'm thinking that the following might be close

enter configure terminal mode with: conf t

add: fixup protocol vnc 5900

add: access-list tightvnc line 1 permit ip host 192.168.1.2 any 255.255.255.0

write the config: wr mem

exit config mode: exit

confirm changes: show access-list tightvnc

if all looks good log out of the 501, and then give remote access a test via an offsite vnc client.

... but I'm feeling like I'm missing a whole bunch of stuff. Is there a way to tell the tightvnc access-list to only accept traffic if the inbound port is 5900? Google didn't lead to much in the way of specifics on any of this

What did I miss?

TIA,

Mike

miked_187 · ‎02-28-2014

this might be better

access-list tightvnc permit tcp any host 192.168.1.2 eq 5900

access-list tightvnc permit udp any host 192.168.1.2 eq 5900

I'm grasping... lol

Jon Marshall · ‎02-28-2014

Mike

Are you coming in from the internet ?

If so you can't use the private IPs as they are not routable on the internet.

So what public IPs do you have ? You can use the public IP assigned to the outside interface of your firewall if needed.

Can you clarify ?

Jon

miked_187 · ‎02-28-2014

Jon

> Are you coming in from the internet ?

yes, all the vnc client activity will be coming in from the internet, no vnc client activity will be started from within the office. This is purely for remote access to the office from outside sources/IP's

> So what public IPs do you have ?

we have 2 but will be pointing the inbound vnc clients from the internet to the ip address that we have in the PIX setup under the "ip address outside" value. lets call it 216.x.x.x

Thanks for chiiming in, hopefully this helps you help me, let me know what other info I can provide

Jon Marshall · ‎02-28-2014

Mike

Assuming the VNC port is TCP then -

static (inside,outside) tcp interface 5009 192.168.1.2 5009

access-list outside_in permit tcp any host 216.x.x.x eq 5009

note you may have an acl already configured for the outside interface so just add the above line to that acl.

Also the acl allows any IP address so you may want to lock that down if possible although it may not be.

Jon

miked_187 · ‎02-28-2014

Thanks Jon,

Think the VNC port 5900 is both UDP and TCP. I'll have to investigate the settings,

I'm out of the office till Monday, but I'll give the above a go then and follow back up, appreciate the help

m

miked_187 · ‎03-03-2014

Just determined that I need VNC to run encrypted (HIPAA compliance and all that), so I'll need to run VNC over an SSH tunnel on nonstd SSH port 9765 to the same .2 box where the SSH server is listening

conf t

static (inside,outside) tcp interface 9765 192.168.1.2 9765

access-list outside_in permit tcp any host 216.x.x.x eq 9765

wr mem

exit

show access-list outside_in

Correct?

Jon Marshall · ‎03-03-2014

Mike

Yes, your configuration looks fine.

Just to reiterate, if there is already an acl applied to the outside interface inbound then you need to add it to that acl rather than create a new one.

Jon

miked_187 · ‎03-03-2014

the only line that seems close is

static (inside,outside) 10.1.x.x access-list 0 0

nothing else showing up in the show config output has (inside, outside) within

Jon Marshall · ‎03-03-2014

Mike

Not sure what you mean.

Do you have an "access-group in interface outside" line in your config ?

If so add the acl line to the .

If not you need to create a new acl and apply it to the outside interface using the command above.

Make sure you check your config properly because if you already have an acl and apply a new acl it replaces the old one.

Jon

miked_187 · ‎03-03-2014

no access-group anywhere within

I have 2 existing access-list entries:

access-list permit ip host 192.168.1.2 192.y.y.y 255.255.255.0

access-list permit ip host 10.1.x.x 192.y.y.y 255.255.255.0

these are for a 3rd party VPN, have nothing to do with setting up SSH access, and each has a unique name, so it would appear (to my inexperinced eyes) that there isn't danger of a naming/overwrite collision

Jon Marshall · ‎03-03-2014

Mike

If there are no "access-group ..." entries then it looks like you don't have an acl applied to the outside interface so you will need to create the new acl and apply it.

Jon