how to use vnc with access-list?

[22293]

Hi,

I want to restrict traffic between HQ (192.168.20.0/24) en branch office (192.168.15.0/24).

I thought this would work, but it doesn't:

interface Ethernet0
ip address 192.168.15.254 255.255.255.0
ip access-group 100 in

No access-list 100
access-list 100 permit icmp 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255 echo
access-list 100 permit icmp 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255 echo-reply
access-list 100 permit tcp any any eq 5900

Starting a VNC session from 192.168.20.x to 192.168.15.x will not work. Without an ip access-list it does work.

What i'm i doing wrong?

John

 

[TravisM]

The access list looks correct. Can you get VNC access without the ACL on? What OS is this? Have you checked to make sure that the service is listening on port 5900? Try netstat -a if it's a windows box.

 

[lgarner]

You're not allowing VNC traffic to get back. There's an implicit "deny ip any any" at the end of your ACL. Try "access-list 100 permit tcp any eq 5900 any" - note 5900 is the source port, not the destination.

You could also change your access-group to apply the ACL "out" instead of "in".

 

[22293]

Igarner,

Thanks!, that works. :-D I added the line
access-list 100 permit any eq 5900 any
to my access-list and it works.

I kept it an "in" ACL.

John