Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1088
Views
0
Helpful
3
Replies

ASA 5505 and VNC

J W
Level 1
Level 1

‎10-21-2011 10:45 AM - edited ‎03-11-2019 02:40 PM

Hello, I have been fighting this issue for some time now, and I am not sure where I am going wrong. We have a PC that with VNC installed. I can get to it without issue internally from port 5900 (VNC, and Telnet). however when I try to access it from outside the firewall It does not connect. To my knowledge I have all the ACL's, NAT and Firewall rules in place to support this, and I do not believe that there is a 'fixup' command for this. Could somebody take a look and see if they can ponit me in the right direction? Thank you!

ASA Version 8.2(1)

!

hostname ATDASA

domain-name Akrontool

enable password tTpTvQzRMvRMrJlh encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.100.100.3 ATD01 description Server

name 192.168.42.0 <Company_2>

name <Public IP> External-IP

name 10.100.100.200 CNC_Internal

name <Public Gateway> TimeWarner_Gateway

name 10.100.100.15 ATDTS01 description Terminal Server

!

interface Vlan1

nameif inside

security-level 100

ip address 10.100.100.5 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address External-IP 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name Akrontool

object-group service RDP tcp

description Remote Desktop

port-object eq 3389

object-group service ATD_Mai_Services

service-object tcp eq imap4

service-object tcp eq pop3

service-object tcp eq smtp

object-group service CNC_Machine

description VNC

service-object tcp eq 5500

service-object tcp eq 5800

service-object tcp eq 5900

object-group service GRE tcp

port-object eq 47

access-list outside_1_cryptomap extended permit ip 10.100.100.0 255.255.255.0 <Outside Network Subnet> 255.255.255.252

access-list inside_nat0_outbound extended permit ip 10.100.100.0 255.255.255.0 <Company_2> 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.100.100.0 255.255.255.0 <Outside Network Subnet> 255.255.255.252

access-list outside_2_cryptomap extended permit ip 10.100.100.0 255.255.255.0 <Company_2> 255.255.255.0

access-list outside_access_in remark Allows RDP access to server

access-list outside_access_in extended permit tcp any <Outside Network Subnet> 255.255.255.252 object-group RDP

access-list outside_access_in extended permit object-group ATD_Mai_Services any <Outside Network Subnet> 255.255.255.252

access-list outside_access_in extended permit tcp any <Outside Network Subnet> 255.255.255.252 eq pptp

access-list outside_access_in extended permit tcp any <Outside Network Subnet> 255.255.255.252 eq www

access-list outside_access_in extended permit object-group CNC_Machine any <Outside Network Subnet> 255.255.255.252

access-list outside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list inside_access_out extended permit ip any any

access-list inside_access_out extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 ATD01 3389 netmask 255.255.255.255

static (inside,outside) tcp interface smtp ATD01 smtp netmask 255.255.255.255

static (inside,outside) tcp interface www ATD01 www netmask 255.255.255.255

static (inside,outside) tcp interface pptp ATD01 pptp netmask 255.255.255.255

static (inside,outside) tcp interface pop3 ATD01 pop3 netmask 255.255.255.255

static (inside,outside) tcp interface imap4 ATD01 imap4 netmask 255.255.255.255

static (inside,outside) tcp interface 47 ATD01 47 netmask 255.255.255.255

static (inside,outside) tcp interface 5500 CNC_Internal 5500 netmask 255.255.255.255

static (inside,outside) tcp interface 5800 CNC_Internal 5800 netmask 255.255.255.255

static (inside,outside) tcp interface 5900 CNC_Internal 5900 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

!

router rip

network 10.0.0.0

version 2

!

route outside 0.0.0.0 0.0.0.0 TimeWarner_Gateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http <Company_2> 255.255.255.0 inside

http 10.100.100.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer TimeWarner_Gateway

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs group1

crypto map outside_map 2 set peer <Public IP of VPN Target>

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group Akrontool type ipsec-l2l

tunnel-group Akrontool ipsec-attributes

pre-shared-key *

tunnel-group <Public IP of VPN Target> type ipsec-l2l

tunnel-group <Public IP of VPN Target> ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:15b3752100cb9ced92fe74dcd52b1237

: end

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎10-21-2011 11:06 AM

Jared

Not used VNC but shouldn't this acl line -

access-list outside_access_in extended permit object-group CNC_Machine any 255.255.255.252

be

access-list outside_access_in extended permit any 255.255.255.252 object-group CNC_Machine

Jon

0 Helpful

J W
Level 1
Level 1
In response to Jon Marshall

‎10-21-2011 01:37 PM

Hmm. It looks like it should, but I made that rule in the ASDM, and it looks correct there..

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to J W

‎10-21-2011 02:01 PM

edited

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card