|
|
Question : Problem: How to block everything except VNC
|
|
I've got this setup: Computer 172.20.0.2 ---> FastEthernet0/2 172.20.0.1 Computers 192.168.104.0/24 ---> same switch, Vlan1 192.168.104.182 I'm trying to connect to the 192.168.104.0-machines using VNC
Here's the running cisco config: no aaa new-model ip subnet-zero ip routing ! ip multicast-routing distributed no ip igmp snooping ! ! ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending
interface FastEthernet0/2 description VNC no switchport ip address 172.20.0.1 255.255.255.0 ip access-group 100 in ip access-group 100 out ip pim sparse-dense-mode !
! interface Vlan1 ip address 192.168.104.182 255.255.255.0 ! ip classless ip http server ! ! access-list 100 permit tcp any any eq 5900
I am unable to connect from 172.20.0.2 to any of the machines on the other side. However if I remove 'ip access-group 100 out' everything is working.
tcpdump gives me this (on VNC server machine) 19:04:49.243010 IP 172.20.0.2.42928 > RCWP-1.5900: S 4244700870:4244700870(0) win 5840 19:04:49.243028 IP RCWP-1.5900 > 172.20.0.2.42928: S 3510928067:3510928067(0) ack 4244700871 win 5792 I understand that it is trying to use port 42928 (changing number) but I do not understand why. Anyone out there with some knowledge about this that could help me out?
|
Answer : Problem: How to block everything except VNC
|
|
I don't know the VNC product, but I'm guessing that like almost all other applications, the source port is randomly selected. Try creating a second ACL for the return traffic. I may have the directions reversed since I'm not familiar with the application so you may need to swap the in/out.
ip access-group 100 in ip access-group 101 out
access-list 100 permit tcp any any eq 5900 access-list 101 permit tcp any eq 5900 any
|
|
|