I need help please. I need to re

[Gigaic]

I need help please.

I need to restrict remote vpn access to a lan-side server (192.168.1.2 natted to 41.204.56.251). At the moment any IP address from the internet can access the server once the person knows the nat ip and the password.

How do I allow vnc access only to IP address 41.204.54.98?

Below is my current config:
**********************************************************
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 41.204.56.250 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
switchport mode trunk
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
ip address 10.200.18.2 255.255.255.0
ip virtual-reassembly
!
interface Vlan3
ip address 172.16.1.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 41.204.56.249
ip route 10.1.0.0 255.255.0.0 10.200.18.1
ip route 10.76.100.0 255.255.255.0 10.200.18.1
ip route 192.168.0.0 255.255.255.0 10.200.18.1
!
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 10 interface FastEthernet0/1 overload
ip nat inside source static 192.168.1.2 41.204.56.251
ip nat inside source static 192.168.1.3 41.204.56.252
!
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
!
**************************************************
Thanks

 

[burtsbees]

What port does VNC use?

ip nat inside source static tcp 192.168.1.2 21 41.204.56.251 21

This example would be for FTP access only...just replace the 21 with the proper port numbers (and proper IP addresses, of course), and replace tcp if it is udp you need.

Burt

 

[Gigaic]

Hi Burt,

That is already done if you look at the 4th line from the bottom of my posted config.

Now, I do have support people accessing the local machine (192.168.1.2) over the internet. I have given them the password and outside IP address (41.204.56.251). How do I restrict access from their office IP only (41.204.54.98), such that ex-employees are not able to access the local machine.

Thanks
George

 

[burtsbees]

You asked to have it accessed via VNC ONLY---your last four lines in your post do not have the tcp keyword nor do they have port numbers. This is how you would make the server accessible via VNC ONLY. I this is not what you wanted, then I apologize for misunderstanding.
Now, to answer the second question, an acl denying that IP would be great
access-list 121 deny ip 41.204.54.98 0.0.0.255 host 192.168.1.2
access-list 121 permit ip any any
then apply it inbound to the outside interface...
router(config)#int fa0/1
router(config-if)#ip access-group 121 in

Burt

 

[Gigaic]

Thanks Burt.