Pix 506 Port Forwarding for VNC 1

[jfoster06]

Hi
I wanted to bounce some commands off the forum.

I'm trying to move a client from a Linksys to a Pix 506.
In the Port Range Forward they have the following setup.

(App)VNC_Paul, (Start) 5907, to (End) 5907, (Protocol) tcp and udp (Ip) 192.168.1.7
does this command translate to
static (inside,outside) xxx.xxx.101.90 5907 192.168.1.7 5907 netmask 255.255.255.255 0 0

I have about 8 of these with a range from 5900-5956.
Do I need to have an access list for these ports?

Thanks in advance>>>

jf

 

[brianinms]

Yes, that is correct and yes you will need an access-list. VNC is a very poor remote access solution. You should configure a VPN on the pix and let them connect. If they run XP they can then RDP to their workstation if need be

 

[jfoster06]

Hmmmm.
Good idea. One issue is they only have two public ip's.
Will the RDP option work still. And if so can you get me started on the command?
Thanks
jf

 

[kwing112000]

you can change the port on the PC's so that you can have many connect thru 1 IP. It is a registry entry that you change and reboot. Google remote desktop ports and you will see how to change it. Then you just put the name or IP into remote connection and put a :then port number.

 

[jfoster06]

Very Good.
Thanks for the Help!!!

 

[jfoster06]

Do these look right for the access lists?

access-list inbound permit tcp any host 192.168.1.7 eq 5907

access-group inbound in interface outside

 

[Supergrrover]

You can set the PIX to listen on other ports and then have them translated to different ports once inside.

I recommend this when using RDP and VNC especially. I use non-standard ports for all services that I want private. The standard script kiddie checks 3389 so I use another port that isn't used by any services that i need accessible to the world at large.

fro example - Have pix listen on port 3390 and forward that to a box on the inside as port 3389.

In your case
static (inside,outside) tcp xxx.xxx.101.90 6800 192.168.1.7 5907 netmask 255.255.255.255
access-list inbound permit tcp any host xxx.xxx.101.90 eq 6800
access-group inbound in interface outside

Just create a static like this for each internal IP and keep changing the externally visible port #. Then add those ports to the access list. You will be up and running.

Now the VPN is a better choice but this will work like you wanted.




Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[jfoster06]

Having an issue when trying to add the static routes.
Command I'm using is "static (inside,outside) xx.xxx.101.90 6800 192.168.1.7 5907 netmask 255.255.255.255 0 0"
It says "number of maximum connections should lie between 0 and 65535"

I thought the 0 on the end set the connections to default.

Thanks for the help.
jf

 

[Supergrrover]

There is a "tcp" part in there. You need that to make it port redirection (PAT) vs a straight static.

static (inside,outside) tcp xxx.xxx.101.90 6800 192.168.1.7 5907 netmask 255.255.255.255


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[jfoster06]

Supergrover,
That worked.
Thanks for the help.
jf

 

[Supergrrover]

Glad it worked.

There are versions of VNC that can use an encryption plugin. I highly recommend that since standard VNC is not encrypted and easy to sniff/spoof.
RDP is better but there are still problems.
VPN is the best.

Enjoy.



Brent
Systems Engineer / Consultant
CCNP, CCSP