Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

806 Nat'ing VNC

I am having an issue or brain fart. Not sure which. I am trying to NAT VNC traffic through a firewall. Looks like traffic goes in and not back out. I have a single class C public to a 10.x.x.x internal. I do get a match for ACL 111 It hits on tcp port 5900 Config is as follows:

Current configuration : 2750 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname flathead

!

enable secret 5 xxx

!

username xxx password 0 xxx

ip subnet-zero

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 10.10.10.2

ip dhcp excluded-address 10.10.10.4

!

ip dhcp pool CLIENT

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

domain-name xxx.com

dns-server 24.x.x.x 24.x.x.x

lease infinite

!

ip inspect tcp idle-time 3900

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw http timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw h323 timeout 3600

!

!

!

interface Ethernet0

ip address 10.10.10.1 255.255.255.0

ip nat inside

no cdp enable

hold-queue 32 in

hold-queue 100 out

!

interface Ethernet1

ip address x.x.x.9 255.255.255.128

ip access-group 111 in

ip nat outside

ip inspect myfw out

no cdp enable

!

ip nat inside source list 102 interface Ethernet1 overload

ip nat inside source static tcp 10.10.10.2 1701 interface Ethernet1 1701

ip nat inside source static tcp 10.10.10.2 500 interface Ethernet1 500

ip nat inside source static tcp 10.10.10.2 1723 interface Ethernet1 1723

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.1

no ip http server

!

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

access-list 111 permit tcp any any eq telnet

access-list 111 permit tcp any any eq www

access-list 111 permit tcp any any eq 5900

access-list 111 permit udp any any eq 5900

access-list 111 permit tcp any any eq 1701

access-list 111 permit tcp any any eq 500

access-list 111 permit tcp any any eq 1723

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit udp any any eq isakmp

access-list 111 deny ip any any

no cdp run

!

line con 0

stopbits 1

line vty 0 4

exec-timeout 0 0

login local

length 0

!

scheduler max-task-time 5000

end

Any help on this is greatly appreciated.

Thanks

1 REPLY
New Member

Re: 806 Nat'ing VNC

It helps to verify and use the proper address on the internal network. So, My first statemwnt was correct. BRAIN FART!

165
Views
0
Helpful
1
Replies
CreatePlease to create content