(Names, IPs, and ports have been changed to protect the innocent.)
Here's the situation.
The company I'm helping out uses VNC for remote access. Specifically, RealVNC on Windows XP. Keep in mind that the default TCP port for RealVNC is 5900.
They have multiple internal workstations that are running RealVNC server. Each one has a specific port mapping from the Cisco ASA firewall. So let's pretend the external IP on the Internet side of the ASA is 208.81.201.34. On the ASA, port 6100 would be forwarded to Alice at 192.168.1.100. Port 6101 would be forwarded to Bob at 192.168.1.101. Port 6102 would be forwarded to Charlie at 192.168.1.102.
With this setup, you would think that one of the following possibilities would be true. Either:
A) The listening port on the VNC service on each workstation would be changed to reflect the appropriate port. So if I launched RealVNC in Windows XP on Bob's workstation, it should show 6101 as the listening port.
or The Cisco ASA firewall would be configured to translate each port appropriately. So port 6101 would be translated to port 5900 on 192.168.1.101.
Neither of these are true.
The Cisco ASA is doing a straight port forward according to ASDM. Incoming connections to 6101 on the firewall's external IP are being forwarded straight to 6101 on Bob's local workstation, for instance. VNC is listening on port 5900 on each station.
How could this be working?PS, I know this setup is ass-backwards and stupid. I didn't do it.
Posts
I don't believe it - I'm on my THIRD PS3, and my FIRST XBOX360. What the heck?
I also acknowledge that this setup is ass-backwards but you didn't do it.
That's a good idea. All I've done so far is to try a test connection from another LAN workstation.
Also, I'm glad to see I'm not crazy.
The other thing is that I've been working entirely in ASDM. I haven't tried actually checking the rules from the CLI yet.
Thanks for the ideas, guys.
the "no true scotch man" fallacy.
Ran netstat on a workstation, and it does show that VNC is listening on the nondefault port: 6101.
The RealVNC server configuration dialogs show that it is listening on 5900.
Doing a search in the registry for the string "6101" doesn't reveal anything related to VNC.
But this gives me something to go on. Thanks, guys.
the "no true scotch man" fallacy.
I thought of that too. The XP firewall and TCP filtering features were turned off.
I'm thinking there might be an additional instance of VNC installed, like a "silent install" or something like that.
the "no true scotch man" fallacy.
That's what I was thinking. Check your services on the machine.
I don't believe it - I'm on my THIRD PS3, and my FIRST XBOX360. What the heck?
So I did a quick test of it on my test box, which has a listening VNC server. And the local netstat reports it as 5800 and 5900 respectively even though the firewall is configured to forward 6101 to 5900.
As a longshot Feral, are the people with incoming connections using the Java server connection or the regular one?
VNC isn't running as a service, and the task list doesn't show anything that could obviously account for a VNC app, other than the single instance of VNC I see running the system tray. (Neither services.msc nor NET START show any VNC-related services running at all.)
I don't think they're using the Java server connection. What they say is they go to a remote location, plug in their IP address and external port number in the form 208.81.201.34:6101 into a RealVNC client and connect up.
At this point, it's turned into more of an intellectual puzzle than anything else. I'm now certain that it's just some weird software config running on the workstation machine, which means that if I need to reinstall Windows or set up a new user I can do it right (with port translation on the router) and make it work.
Thanks, everybody.
the "no true scotch man" fallacy.
Edit - the PID is listed in the Task Manager (and Process Explorer, etc). In the task manager, it's not displayed by default, but you can show it by going to the view menu and choosing "Select Columns...". Then check the PID checkbox.
I don't believe it - I'm on my THIRD PS3, and my FIRST XBOX360. What the heck?
The prior system administrator added the command-line option "-listen port" (ie., -listen 6101) to the shortcut to launch the VNC listener on each machine.
This one of those "god it was so simple once I found the problem" sorts of issues.
the "no true scotch man" fallacy.