Question : Problem: How to block everything except VNC

I've got this setup:
Computer 172.20.0.2 ---> FastEthernet0/2 172.20.0.1
Computers 192.168.104.0/24 ---> same switch, Vlan1 192.168.104.182
I'm trying to connect to the 192.168.104.0-machines using VNC

Here's the running cisco config:
no aaa new-model
ip subnet-zero
ip routing
!
ip multicast-routing distributed
no ip igmp snooping
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending

interface FastEthernet0/2
 description VNC
 no switchport
 ip address 172.20.0.1 255.255.255.0
 ip access-group 100 in
 ip access-group 100 out
 ip pim sparse-dense-mode
!

!
interface Vlan1
 ip address 192.168.104.182 255.255.255.0
!
ip classless
ip http server
!
!
access-list 100 permit tcp any any eq 5900


I am unable to connect from 172.20.0.2 to any of the machines on the other side. However if I remove 'ip access-group 100 out' everything is working.

tcpdump gives me this (on VNC server machine)
19:04:49.243010 IP 172.20.0.2.42928 > RCWP-1.5900: S 4244700870:4244700870(0) win 5840
19:04:49.243028 IP RCWP-1.5900 > 172.20.0.2.42928: S 3510928067:3510928067(0) ack 4244700871 win 5792
 
I understand that it is trying to use port 42928 (changing number) but I do not understand why. Anyone out there with some knowledge about this that could help me out?

Answer : Problem: How to block everything except VNC

I don't know the VNC product, but I'm guessing that like almost all other applications, the source port is randomly selected. Try creating a second ACL for the return traffic. I may have the directions reversed since I'm not familiar with the application so you may need to swap the in/out.

 ip access-group 100 in
 ip access-group 101 out

access-list 100 permit tcp any any eq 5900
access-list 101 permit tcp any eq 5900 any