02-28-2014 09:29 AM - edited 03-11-2019 08:51 PM
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Compiled on Thu 04-Aug-05 21:40 by morlee
I need some help with determining the correct command line that will allow access for TightVNC into a single server 192.168.1.2 on the internal network on port 5900. I won't be running the web interface on 5800. The internal network is Windows based so I can use remote desktop off of .2 to connect to other desktops in the office
I'm thinking that the following might be close
enter configure terminal mode with: conf t
add: fixup protocol vnc 5900
add: access-list tightvnc line 1 permit ip host 192.168.1.2 any 255.255.255.0
write the config: wr mem
exit config mode: exit
confirm changes: show access-list tightvnc
if all looks good log out of the 501, and then give remote access a test via an offsite vnc client.
... but I'm feeling like I'm missing a whole bunch of stuff. Is there a way to tell the tightvnc access-list to only accept traffic if the inbound port is 5900? Google didn't lead to much in the way of specifics on any of this
What did I miss?
TIA,
Mike
02-28-2014 09:39 AM
this might be better
access-list tightvnc permit tcp any host 192.168.1.2 eq 5900
access-list tightvnc permit udp any host 192.168.1.2 eq 5900
I'm grasping... lol
02-28-2014 11:00 AM
Mike
Are you coming in from the internet ?
If so you can't use the private IPs as they are not routable on the internet.
So what public IPs do you have ? You can use the public IP assigned to the outside interface of your firewall if needed.
Can you clarify ?
Jon
02-28-2014 11:28 AM
Jon
> Are you coming in from the internet ?
yes, all the vnc client activity will be coming in from the internet, no vnc client activity will be started from within the office. This is purely for remote access to the office from outside sources/IP's
> So what public IPs do you have ?
we have 2 but will be pointing the inbound vnc clients from the internet to the ip address that we have in the PIX setup under the "ip address outside" value. lets call it 216.x.x.x
Thanks for chiiming in, hopefully this helps you help me, let me know what other info I can provide
02-28-2014 12:58 PM
Mike
Assuming the VNC port is TCP then -
static (inside,outside) tcp interface 5009 192.168.1.2 5009
access-list outside_in permit tcp any host 216.x.x.x eq 5009
note you may have an acl already configured for the outside interface so just add the above line to that acl.
Also the acl allows any IP address so you may want to lock that down if possible although it may not be.
Jon
02-28-2014 02:26 PM
Thanks Jon,
Think the VNC port 5900 is both UDP and TCP. I'll have to investigate the settings,
I'm out of the office till Monday, but I'll give the above a go then and follow back up, appreciate the help
m
03-03-2014 12:18 PM
Just determined that I need VNC to run encrypted (HIPAA compliance and all that), so I'll need to run VNC over an SSH tunnel on nonstd SSH port 9765 to the same .2 box where the SSH server is listening
conf t
static (inside,outside) tcp interface 9765 192.168.1.2 9765
access-list outside_in permit tcp any host 216.x.x.x eq 9765
wr mem
exit
show access-list outside_in
Correct?
03-03-2014 12:21 PM
Mike
Yes, your configuration looks fine.
Just to reiterate, if there is already an acl applied to the outside interface inbound then you need to add it to that acl rather than create a new one.
Jon
03-03-2014 12:46 PM
the only line that seems close is
static (inside,outside) 10.1.x.x access-list
nothing else showing up in the show config output has (inside, outside) within
03-03-2014 12:59 PM
Mike
Not sure what you mean.
Do you have an "access-group
If so add the acl line to the
If not you need to create a new acl and apply it to the outside interface using the command above.
Make sure you check your config properly because if you already have an acl and apply a new acl it replaces the old one.
Jon
03-03-2014 01:10 PM
no access-group anywhere within
I have 2 existing access-list entries:
access-list
access-list
these are for a 3rd party VPN, have nothing to do with setting up SSH access, and each has a unique name, so it would appear (to my inexperinced eyes) that there isn't danger of a naming/overwrite collision
03-03-2014 01:13 PM
Mike
If there are no "access-group ..." entries then it looks like you don't have an acl applied to the outside interface so you will need to create the new acl and apply it.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide