Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

nat port 5900

Status
Not open for further replies.

handlepascal

Technical User
Joined
Sep 27, 2004
Messages
2
Location
ES
Hi!
I wanted to modify a well configured (i suppose) 827 to nat the public port 5900 (VNC) to the 5900 port of the 10.158.188.45 (for example). i found in this forum that i could do :
ip nat inside source static 10.158.188.45 5900 interface Dialer0 5900
but it is not working.
I suppose that the access list is bloking me, but i am completly useless with cisco (and english), anyhelp is welcome



Using 2341 out of 131072 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname 981522952
!
logging queue-limit 100
enable secret 5 $1$TFgd$fTaGKUKW0X3UYCj0
!
username concesionarios password 7 045C1823jedd7e8fd
ip subnet-zero
no ip source-route
no ip domain lookup
ip name-server 195.235.113.3
ip name-server 195.235.96.90
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 0 2
!
!
no ip bootp server
ip reflexive-list timeout 900
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
!
interface Loopback0
no ip address
!
interface Ethernet0
ip address 10.158.188.253 255.255.255.0
no ip proxy-arp
ip nat inside
ip tcp adjust-mss 1452
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/32
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface Dialer0
mtu 1492
ip address negotiated
ip access-group filtrosdeentrada in
ip access-group filtrosdesalida out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
dialer pool 1
ppp chap hostname OOXQRDHK@terradsl
ppp chap password 7 151D520E320F1C0270
ppp pap sent-username OOXFTPHK@terradsl password 7 151D560F35C3A0
!
ip nat inside source list 1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
!
!
ip access-list extended filtrosdeentrada
permit icmp host 192.101.1.73 any echo-reply
permit icmp host 192.101.1.106 any echo-reply
permit icmp host 192.101.1.126 any echo
permit tcp host 192.101.1.126 any eq telnet
permit tcp any eq ftp-data any
evaluate traficoip
deny ip any any log
ip access-list extended filtrosdesalida
permit ip any any reflect traficoip
access-list 1 permit 10.158.188.0 0.0.0.255
access-list 11 permit 192.101.1.126
access-list 11 permit 10.158.188.0 0.0.0.255
access-list 11 deny any log
access-list 23 permit 10.10.10.0 0.0.0.255
no cdp run
!
banner login ^CADVERTENCIA: El acceso no autorizado sera registrado y
rigurosame
nte perseguido^C
!
line con 0
login local
stopbits 1
line vty 0 4
access-class 11 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end
 
I'm no expert with cisco, but from the looks of it, it looks like that would probably work :

ip nat inside source static 10.158.188.45 5900 interface Dialer0 5900

Also, you would need to permit this connection in your ACL.
I believe if you add the following to your "filtrosdeentrada" ACL, it would work.

"permit tcp any eq 5900 any"


You could even set it to transform the port as you enter the router for more security. You could set it to port 5950 on the outside, and it would translate into 5900 on the inside.
This could prove to be a little more secure being as VNC is a popular remote program and 5900 is a known port..

You could do that with the following command :

ip nat inside source static 10.158.188.45 5900 interface Dialer0 5950

and the ACL :
"permit tcp any eq 5950 any"

Then you would just use VNC to connect to "x.x.x.x:5950" and it should work just fine.

hope this helps at least a little hehe
 
thanks for answer but...
i have tried :
ip nat inside source static tcp 10.158.188.122 5900 interface Dialer0 5900
ok
but when i tried :
access-list filtrosdeentrada permit any eq 5900 any
it 's said to me that the input filtrosdeentrada is not correct.
i have tried to do
access 101 permit tcp any eq 5900 any
with no result (the entry is accpeted).
i have tried too :

access 101 permit tcp host 10.158.188.122 eq 5900 any
No way!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top