I need some help with determining the correct command line that will allow access for TightVNC into a single server 192.168.1.2 on the internal network on port 5900. I won't be running the web interface on 5800. The internal network is Windows based so I can use remote desktop off of .2 to connect to other desktops in the office
I'm thinking that the following might be close
enter configure terminal mode with: conf t
add: fixup protocol vnc 5900
add: access-list tightvnc line 1 permit ip host 192.168.1.2 any 255.255.255.0
write the config: wr mem
exit config mode: exit
confirm changes: show access-list tightvnc
if all looks good log out of the 501, and then give remote access a test via an offsite vnc client.
... but I'm feeling like I'm missing a whole bunch of stuff. Is there a way to tell the tightvnc access-list to only accept traffic if the inbound port is 5900? Google didn't lead to much in the way of specifics on any of this
What did I miss?
this might be better
access-list tightvnc permit tcp any host 192.168.1.2 eq 5900
access-list tightvnc permit udp any host 192.168.1.2 eq 5900
I'm grasping... lol
Are you coming in from the internet ?
If so you can't use the private IPs as they are not routable on the internet.
So what public IPs do you have ? You can use the public IP assigned to the outside interface of your firewall if needed.
Can you clarify ?
> Are you coming in from the internet ?
yes, all the vnc client activity will be coming in from the internet, no vnc client activity will be started from within the office. This is purely for remote access to the office from outside sources/IP's
> So what public IPs do you have ?
we have 2 but will be pointing the inbound vnc clients from the internet to the ip address that we have in the PIX setup under the "ip address outside" value. lets call it 216.x.x.x
Thanks for chiiming in, hopefully this helps you help me, let me know what other info I can provide
Assuming the VNC port is TCP then -
static (inside,outside) tcp interface 5009 192.168.1.2 5009
access-list outside_in permit tcp any host 216.x.x.x eq 5009
note you may have an acl already configured for the outside interface so just add the above line to that acl.
Also the acl allows any IP address so you may want to lock that down if possible although it may not be.
Think the VNC port 5900 is both UDP and TCP. I'll have to investigate the settings,
I'm out of the office till Monday, but I'll give the above a go then and follow back up, appreciate the help
Just determined that I need VNC to run encrypted (HIPAA compliance and all that), so I'll need to run VNC over an SSH tunnel on nonstd SSH port 9765 to the same .2 box where the SSH server is listening
Yes, your configuration looks fine.
Just to reiterate, if there is already an acl applied to the outside interface inbound then you need to add it to that acl rather than create a new one.
the only line that seems close is
static (inside,outside) 10.1.x.x access-list
nothing else showing up in the show config output has (inside, outside) within
Not sure what you mean.
Do you have an "access-group
If so add the acl line to the
If not you need to create a new acl and apply it to the outside interface using the command above.
Make sure you check your config properly because if you already have an acl and apply a new acl it replaces the old one.
no access-group anywhere within
I have 2 existing access-list entries:
these are for a 3rd party VPN, have nothing to do with setting up SSH access, and each has a unique name, so it would appear (to my inexperinced eyes) that there isn't danger of a naming/overwrite collision
If there are no "access-group ..." entries then it looks like you don't have an acl applied to the outside interface so you will need to create the new acl and apply it.