Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help with simple access list rule

Hi, I have a cisco 877 at home. I can get to the CLI from work, but need to access a PC via VNC that's on behind the routers access lists.

The inbound access list is 101 and I want to allow my works external IP of 1.2.3.4 through the firewall on TCP port 5900 to 1.2.3.5 only.

Is this possible, if so how might this look?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Help with simple access list rule

Good luck, let me know if you still have issues.

Martin

13 REPLIES

Re: Help with simple access list rule

ip access-list 101 permit tcp host 1.2.3.4 host 1.2.3.5 eq 5900

Then apply it to the interface

interface Dialer1 (or what ever your outside interface is)

ip access-group 101 in

In case you don't have your NAT translation built yet:

ip nat inside source static tcp [inside address] 5900 interface Dialer1 5900

HTH

Re: Help with simple access list rule

As this is at home, do you have a static address from your provider, or are you just overloading everything to your dialler interface? If you are just natting to your dialler this should work.

First set up a static nat for that tcp port from your inside address on port 5900 to your dialler interface port 5900.

ip nat inside source static tcp 1.2.3.5 5900 interface dialer1 5900

Then add a new entry into access-list 101 to permit tcp 5900 from your source address to any. It doesn't matter that it is to any, as the only host that will be mapping to port 5900 will be the host specified in the static nat statement. You will need to remember to put this statement in prior to any deny statements you currently have in the acl.

access-list 101 permit tcp 1.2.3.4 any eq 5900

Hope this helps

Martin

New Member

Re: Help with simple access list rule

Hi Martin.

i don't have a staic IP I have to use dynamic DNS to get round this.

1.2.3.5 (local PC with VNC)

1.2.3.4 (external Ip of work)

Added:

ip nat inside source static tcp 1.2.3.5 5900 interface dialer1 5900

and

access-list 101 permit tcp 1.2.3.4 any eq 5900

I gained access! although the desktop is just a black screen only but that might be the PC. I might try RDP which I think is 3389.

Re: Help with simple access list rule

Good luck, let me know if you still have issues.

Martin

New Member

Re: Help with simple access list rule

One last thing Martin have you used the SDM before? Just thought I'd have a look at the firewall settings in there and I see none of my CLI access-list 101 rules in there. It just says access-list 101 is empty even though the CLI shows them.

Strange eh or normal?

Re: Help with simple access list rule

Hi, I have always tried to avoid the SDM. I know I probably shouldn't.

When I got my 877W, I formatted the flash: to get rid of it, and then slapped my image back on. Wrote my own outside_in acl, and used cbac to open the holes I didn't need to bang in statically.

Martin

New Member

Re: Help with simple access list rule

What is cbac? Sounds useful...

Re: Help with simple access list rule

New Member

Re: Help with simple access list rule

Just one other rule I need to have is I need to be able to the SDM on the router from my work on port 443. How would this look and do I also need a NAT?

Re: Help with simple access list rule

You don't need a NAT (because your going directly to the device itself).

access-list 101 permit tcp host 1.2.3.4 any eq 443

Re: Help with simple access list rule

Check your MTU. If you're using DSL you will need to lower it to something like 1410 (maybe lower).

Under your inside interface(s)

ip tcp adjust-mss 1410

HTH

New Member

Re: Help with simple access list rule

Hi,

I have is set to:

ip tcp adjust-mss 1450

Can this create a problem?

Re: Help with simple access list rule

VNC/RDP/CITRIX don't like fragmented packets and a typical result of a fragmented packet for those applications is a connection, but a black screen.

167
Views
0
Helpful
13
Replies