Allow VNC Access from Internet

VCsupport17 · ‎02-09-2017

Hello Community,

We have Cisco router 2911 and want to configure to allow a external VNC client to access the server using VNC on port 5901 TCP.

The internal server is on VLAN 10 with IP address 10.1.1.15 and the IP address of our router interface GE0/0 facing the internet is 123.1.2.3 for example.

I want to do a port forwarding of port 5901 from external to internal to allow external VNC client to access the server from internet.

I have this configuration of the router:

interface GigabitEthernet0/0
ip address 123.1.2.3 255.255.255.252
ip nat outside
ip virtual-reassembly in

interface GigabitEthernet0/1.10

encapsulation dot1Q 10

ip address 10.1.1.1 255.255.255.0

ip nat inside
ip virtual-reassembly in

ip nat inside source static 10.1.1.15 123.1.2.3

ip nat inside source static tcp 10.1.1.15 5901 interface GigabitEthernet0/0 5901

ip nat inside source static tcp 10.1.1.15 5901 123.1.2.3 5901 extendable

access-list 1 permit 10.1.1.0 0.0.0.255

access-list 100 permit tcp any host 123.1.2.3 eq 5901

Still i cannot connect using VNC from external.

Your help is highly appreciated.

Georg Pauwen · ‎02-09-2017

Hello,

where and how (in/out) do you have access list 100 applied ?

You have two static NAT entries, try and remove the first:

--> no ip nat inside source static tcp 10.1.1.15 5901 interface GigabitEthernet0/0 5901

ip nat inside source static tcp 10.1.1.15 5901 123.1.2.3 5901 extendable

VCsupport17 · ‎02-09-2017

Hi Georg,

Thank you for your response. i have deleted the first static NAT entry.

Where should i apply the (in/out) for access list 100? What is the command for that?

Georg Pauwen · ‎02-09-2017

Hello,

you don't need to apply the access list anywhere, I was just wondeing if it was applied, since it is in your config.

Either way, what message do you get when you access the server on port 5901 ?