Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

access-list question

i have an old 2610xm that i set up as a cable modem router. fa0/0 faces the internet, fa1/0 faces the lan. everything is working fine. however, in order to get access to my desktop pc via vnc, i added a line -- ip nat inside source static tcp 192.168.1.10 5900 interface FastEthernet0/0 5900 --

that works perfect, but i want to lock it down further by creating a statement that only allows a certain ip to make that connection. I have tried access-lists but have no luck attaching them to an interface with access-group.

3 REPLIES
Community Member

Re: access-list question

Well, but can you show us something about the config you've done?

And, what is exactly the problem or error message that appears when you try to apply the access-list to the interface.

Community Member

Re: access-list question

!

interface FastEthernet0/0

description WAN Link

ip address dhcp

ip nat outside

duplex auto

speed auto

!

interface FastEthernet1/0

description LAN Interface

ip address 192.168.1.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.1.10 5900 interface FastEthernet0/0 5900

ip nat inside source static tcp 192.168.1.245 80 interface FastEthernet0/0 8080

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 dhcp

!

!

access-list 1 permit 192.168.1.0 0.0.0.255

no cdp run

The issue is that when i added -- access-list 101 permit tcp my.private.ip 0.0.0.192 eq 5900 host 192.168.1.10 eq 5900 --

followed by -- int fa1/0 -- access-group 101 out --

what happened was the vnc connection was allowed, but the pc's connected to the switch were no longer able to browse the internet.

Re: access-list question

Hi,

though I do not exactly know your config, the possibilities are:

access-list 100 permit tcp host 1.1.1.1 any eq 5900

access-list 100 deny tcp any any eq 5900

access-list 100 permit ip any any

interface FastEthernet0/0

access-group 100 in

First line in ACL 100 allows the specific host IP (adjust to your requirements) to access TCP port 5900 (vnc).

Second line denies any other host accessing vnc.

Third line allows all other internet traffic.

Or you place another ACL on Fa1/0

access-list 101 permit tcp host 1.1.1.1 host 192.168.1.10 eq 5900

access-list 101 deny tcp any host 192.168.1.10 eq 5900

access-list 101 permit ip any any

interface FastEthernet1/0

access-group 101 out

Hope this helps! Please rate all posts.

Regards, Martin

120
Views
5
Helpful
3
Replies
CreatePlease to create content