Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
582
Views
5
Helpful
3
Replies

access-list question

geoffalbin
Level 1
Level 1

‎08-23-2006 05:34 AM - edited ‎03-03-2019 04:39 AM

i have an old 2610xm that i set up as a cable modem router. fa0/0 faces the internet, fa1/0 faces the lan. everything is working fine. however, in order to get access to my desktop pc via vnc, i added a line -- ip nat inside source static tcp 192.168.1.10 5900 interface FastEthernet0/0 5900 --

that works perfect, but i want to lock it down further by creating a statement that only allows a certain ip to make that connection. I have tried access-lists but have no luck attaching them to an interface with access-group.

Labels:
0 Helpful
3 Replies 3

g.sanchezjavier
Level 1
Level 1

‎08-23-2006 06:54 AM

Well, but can you show us something about the config you've done?

And, what is exactly the problem or error message that appears when you try to apply the access-list to the interface.

0 Helpful

geoffalbin
Level 1
Level 1
In response to g.sanchezjavier

‎08-23-2006 07:03 AM

!

interface FastEthernet0/0

description WAN Link

ip address dhcp

ip nat outside

duplex auto

speed auto

!

interface FastEthernet1/0

description LAN Interface

ip address 192.168.1.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.1.10 5900 interface FastEthernet0/0 5900

ip nat inside source static tcp 192.168.1.245 80 interface FastEthernet0/0 8080

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 dhcp

!

!

access-list 1 permit 192.168.1.0 0.0.0.255

no cdp run

The issue is that when i added -- access-list 101 permit tcp my.private.ip 0.0.0.192 eq 5900 host 192.168.1.10 eq 5900 --

followed by -- int fa1/0 -- access-group 101 out --

what happened was the vnc connection was allowed, but the pc's connected to the switch were no longer able to browse the internet.

0 Helpful

mheusinger
Level 10
Level 10

‎08-23-2006 07:01 AM

Hi,

though I do not exactly know your config, the possibilities are:

access-list 100 permit tcp host 1.1.1.1 any eq 5900

access-list 100 deny tcp any any eq 5900

access-list 100 permit ip any any

interface FastEthernet0/0

access-group 100 in

First line in ACL 100 allows the specific host IP (adjust to your requirements) to access TCP port 5900 (vnc).

Second line denies any other host accessing vnc.

Third line allows all other internet traffic.

Or you place another ACL on Fa1/0

access-list 101 permit tcp host 1.1.1.1 host 192.168.1.10 eq 5900

access-list 101 deny tcp any host 192.168.1.10 eq 5900

access-list 101 permit ip any any

interface FastEthernet1/0

access-group 101 out

Hope this helps! Please rate all posts.

Regards, Martin

Customers Also Viewed These Support Documents