09-09-2011 01:51 PM - edited 03-11-2019 02:23 PM
This is problably a stupid question but how do I open a prot on a cisco 1811? I have a cisco 1811 and a computer that has VNC installed on it. I want to be able to access that computer from out side the network using the external ip address and port 5950. People outside the network will be able to open vnc viewer and type in *external ip address*:5950 and it will be directed to the computer with a static internal ip address of 10.11.101.10. What commands do I use to do this?
Thanks,
Solved! Go to Solution.
09-15-2011 12:46 AM
Hi,
So at least you did get a logging message telling you the packet was dropped?
How are you connected to the device? if it is with telnet then issue terminal monitor command and logging buffered 6
and logging monitor 6.
Post the output of the log message.
Regards.
Alain.
09-15-2011 01:15 PM
Here is the terminal monitor log:
000719: *Sep 15 14:03:24.926 PCTime: %FW-6-DROP_PKT: Dropping tcp session 70.xxx.xxx.xxx:1382 72.xxx.xxx.xxx:443 due to RST inside current window with ip ident 0
000720: *Sep 15 14:05:28.594 PCTime: %FW-6-DROP_PKT: Dropping tcp session 58.xxx.xxx.xxx:12200 70.xxx.xxx.xxx:2479 on zone-pair ccp-zp-out-self class class-defau
lt due to DROP action found in policy-map with ip ident 0
000721: *Sep 15 14:05:52.066 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 58.xxx.xxx.xxx:12200 => 70. xxx.xxx.xxx:2479 (target:class)-(ccp-zp-out-self:class-default)
000722: *Sep 15 14:05:52.066 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 58.xxx.xxx.xxx:12200 => 70. xxx.xxx.xxx:3246 (target:class)-(ccp-zp-out-self:class-default)
000723: *Sep 15 14:06:36.002 PCTime: %FW-6-DROP_PKT: Dropping tcp session 142. xxx.xxx.xxx:20088 10.11.101.10:5950 on zone-pair sdm-zp-VPNOutsideToInside-1 class
class-default due to DROP action found in policy-map with ip ident 0
000724: *Sep 15 14:06:52.066 PCTime: %FW-6-LOG_SUMMARY: 3 packets were dropped f
rom 142. xxx.xxx.xxx:20088 => 10.11.101.10:5950 (target:class)-(sdm-zp-VPNOutsideToInside-1:class-default)
000725: *Sep 15 14:07:19.834 PCTime: %FW-6-DROP_PKT: Dropping tcp session 88. xxx.xxx.xxx:21171 70. xxx.xxx.xxx:3389 on zone-pair ccp-zp-out-self class class-default due to DROP action found in policy-map with ip ident 0
000726: *Sep 15 14:07:52.066 PCTime: %FW-6-LOG_SUMMARY: 2 packets were dropped from 88. xxx.xxx.xxx:21171 => 70. xxx.xxx.xxx:3389 (target:class)-(ccp-zp-out-self:class-default)
09-15-2011 01:39 PM
Hi,
ok now we know why my config is not working:
LOG_SUMMARY: 3 packets were dropped f
rom 142. xxx.xxx.xxx:20088 => 10.11.101.10:5950 (target:class)-(sdm-zp-VPNOutsideToInside-1:class-default)
the traffic is matched by class default in the service-policy for VPN created by sdm.
But in your latest config I don't see this:
zone-pair security VNC_OUT_IN source out-zone destination in-zone
service-policy type inspect VNC_POLICY
Can you add it and try again.
Alain.
09-15-2011 01:52 PM
When I type in zone-pair security VNC_OUT_IN source out-zone destination in-zone I get this. I don't know if it is an error or just a warning perhaps:
% Already zone-pair sdm-zp-VPNOutsideToInside-1 exists for the specified source
and destination zones
and whe I type in service-policy type inspect VNC_POLICY I get:
Invalid input marker detected at ^. The ^ is a t the - in service-policy
09-15-2011 10:48 PM
Hi,
ok so we'll have to modify the existing policy.
I'll post the config when I get to work in about an hour.
Regards.
Alain.
09-16-2011 01:33 AM
Hi,
ok let's try this:
ip access-list extended VNC
permit tcp any host 10.11.101.10 eq 5950
class-map type inspect match-all VNC_CLASS
match access-group name VNC
no policy-map type inspect VNC_POLICY
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect VNC_CLASS
inspect
class class-default
drop
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
Regards.
Alain.
09-16-2011 07:30 AM
That worked. Thank you so much for your help.
03-08-2012 11:35 AM
Hi Alain,
I have a similar situation to the user you helped here, the key deiiference being that this router is an 1841 rather than an 1811. Nonetheless, I think they are pretty similar.
I have applied the changes you outlined in your post, but I am still not able to connect with vnc. Could you have a look at the config and let me know what you think I am missing.
The only difference I noted was the port that I have vnc listening on is 5900, not 5950.
Much appreciated.
C.
Config below:
Current configuration : 12763 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname imd1841
!
boot-start-marker
boot-end-marker
!
...
!
no aaa new-model
clock timezone EST -5
clock summer-time EST recurring
!
...
!
!
...
ip source-route
!
!
!
!
ip cef
ip domain name imdesign.local
no ipv6 cef
ntp update-calendar
ntp server 129.6.15.28
ntp server 129.6.15.29
!
multilink bundle-name authenticated
!
!
!
...
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key password address x.x.x.x!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to x.x.x.x
set peer x.x.x.x
set transform-set ESP-3DES-SHA
match address 103
!
archive
log config
hidekeys
!
!
ip ssh time-out 30
ip ssh authentication-retries 5
!
track 123 ip sla 1 reachability
delay down 12
!
track 456 ip sla 2 reachability
delay down 12
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 107
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 104
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-all out-in
match access-group 111
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-all VNC_CLASS
match access-group name VNC
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 102
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-all SELF-OUT
match access-group name SELF-OUT
class-map type inspect match-all OUT-SELF
match access-group name OUT-SELF
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-3
inspect
class type inspect out-in
inspect
class type inspect VNC_CLASS
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect out-in
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class type inspect OUT-SELF
pass
class class-default
drop log
policy-map type inspect SELF-OUT
class type inspect SELF-OUT
pass
class type inspect ccp-icmp-access
class class-default
pass
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect SELF-OUT
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description $FW_OUTSIDE$
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
shutdown
!
interface FastEthernet0/0/3
shutdown
!
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
no mop enabled
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 24.62.176.1 track 123
ip route 0.0.0.0 0.0.0.0 24.61.144.1 2 track 456
ip route 4.2.2.2 255.255.255.255 FastEthernet0/1
ip route 192.55.83.30 255.255.255.255 FastEthernet0/0
ip route 192.168.5.0 255.255.255.0 192.168.5.2
ip route 192.168.10.0 255.255.255.0 192.168.5.2
ip route 192.168.15.0 255.255.255.0 192.168.5.2
ip route 192.168.25.0 255.255.255.0 192.168.5.2
ip route 192.168.35.0 255.255.255.0 192.168.5.2
ip route 192.168.45.0 255.255.255.0 192.168.5.2
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.10.10 5900 interface FastEthernet0/0 5900
ip nat inside source route-map FA00 interface FastEthernet0/0 overload
ip nat inside source route-map FA01 interface FastEthernet0/1 overload
!
ip access-list extended OUT-SELF
permit icmp any any
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 22
permit udp any any eq bootpc
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended SELF-OUT
permit icmp any any
permit tcp any eq 22 any
permit tcp any eq www any
permit tcp any eq 443 any
ip access-list extended VNC
permit tcp any host 192.168.10.10 eq 5900
!
ip sla 1
icmp-echo 192.55.83.30
timeout 1500
threshold 10000
tag IMDFa00
frequency 4
history hours-of-statistics-kept 6
history distributions-of-statistics-kept 5
history statistics-distribution-interval 10
history buckets-kept 25
history enhanced interval 900 buckets 100
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 4.2.2.2
timeout 2500
threshold 10000
tag IMDFa01
frequency 4
history hours-of-statistics-kept 6
history distributions-of-statistics-kept 5
history statistics-distribution-interval 10
history buckets-kept 25
history enhanced interval 900 buckets 100
ip sla schedule 2 life forever start-time now
logging 192.168.5.17
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=16
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 remark CCP_ACL Category=18
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 deny ip 192.168.25.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.25.0 0.0.0.255 any
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 192.168.25.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 104 remark CCP_ACL Category=128
access-list 104 permit ip host 208.64.160.223 any
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 107 permit tcp any host 192.168.10.10 eq 5900
!
!
!
!
route-map FA01 permit 10
match ip address 101
match interface FastEthernet0/1
!
route-map FA00 permit 10
match ip address 101
match interface FastEthernet0/0
!
!
!
control-plane
!
!
...
end
03-11-2012 03:21 AM
Charles, that's becuase the SDM i crazy... You don't even have the VPN zone assigned anywhere and even though the SDM creates one...
But here is what you should do: (You should be able to copy and paste it when you have changed the IP-address)
ip access-list extended VNC_ACL
permit tcp any host
class-map type inspect match-all VNC_CLASS-MAP
match access-group name VNC_ACL
policy-map type inspect OUTSIDE-TO-INSIDE_POLICY-MAP
class type inspect VNC_CLASS-MAP
inspect
zone-pair security OUTSIDE-TO-INSIDE_ZONE-PAIR source out-zone destination in-zone
service-policy type inspect OUTSIDE-TO-INSIDE_POLICY-MAP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide