The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
Please vote in the Forum Structure Poll. Polling will close at 2PM EST on January 21, 2025.

Weird-ass network problem (Cisco NAT, VNC, port forwarding)

FeralFeral MEMETICHARIZARDinterior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
edited April 2009 in Help / Advice Forum
(Names, IPs, and ports have been changed to protect the innocent.)

Here's the situation.

The company I'm helping out uses VNC for remote access. Specifically, RealVNC on Windows XP. Keep in mind that the default TCP port for RealVNC is 5900.

They have multiple internal workstations that are running RealVNC server. Each one has a specific port mapping from the Cisco ASA firewall. So let's pretend the external IP on the Internet side of the ASA is 208.81.201.34. On the ASA, port 6100 would be forwarded to Alice at 192.168.1.100. Port 6101 would be forwarded to Bob at 192.168.1.101. Port 6102 would be forwarded to Charlie at 192.168.1.102.

With this setup, you would think that one of the following possibilities would be true. Either:

A) The listening port on the VNC service on each workstation would be changed to reflect the appropriate port. So if I launched RealVNC in Windows XP on Bob's workstation, it should show 6101 as the listening port.

or

B) The Cisco ASA firewall would be configured to translate each port appropriately. So port 6101 would be translated to port 5900 on 192.168.1.101.

Neither of these are true.

The Cisco ASA is doing a straight port forward according to ASDM. Incoming connections to 6101 on the firewall's external IP are being forwarded straight to 6101 on Bob's local workstation, for instance. VNC is listening on port 5900 on each station.

How could this be working?

PS, I know this setup is ass-backwards and stupid. I didn't do it.

every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

the "no true scotch man" fallacy.
Feral on

Posts

  • embrikembrik Registered User regular
    edited April 2009
    I can't see how that would work if VNC wasn't listening on the forwarded port. Have you run a Netstat -a on any of the PCs to see if VNC is listening on other ports?

    embrik on
    "Damn you and your Daily Doubles, you brigand!"

    I don't believe it - I'm on my THIRD PS3, and my FIRST XBOX360. What the heck?
  • RuckusRuckus Registered User regular
    edited April 2009
    Man, my only theory, and this is grasping at straws, I haven't config'd a cisco anything in years, is that the router has a firewall component that automatically generates NAT rules for Firewall rules that have been created, and the original admin set up firewall rules for each incoming connection.

    I also acknowledge that this setup is ass-backwards but you didn't do it.

    Ruckus on
  • FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    edited April 2009
    embrik wrote: »
    I can't see how that would work if VNC wasn't listening on the forwarded port. Have you run a Netstat -a on any of the PCs to see if VNC is listening on other ports?

    That's a good idea. All I've done so far is to try a test connection from another LAN workstation.

    Also, I'm glad to see I'm not crazy.
    Ruckus wrote: »
    Man, my only theory, and this is grasping at straws, I haven't config'd a cisco anything in years, is that the router has a firewall component that automatically generates NAT rules for Firewall rules that have been created, and the original admin set up firewall rules for each incoming connection.

    I also acknowledge that this setup is ass-backwards but you didn't do it.

    The other thing is that I've been working entirely in ASDM. I haven't tried actually checking the rules from the CLI yet.

    Thanks for the ideas, guys.

    Feral on
    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • underdonkunderdonk __BANNED USERS regular
    edited April 2009
    In this configuration it should be "B". Dump your access lists (sanitize them) and post them here. Sounds like they are dorked up.

    underdonk on
    Back in the day, bucko, we just had an A and a B button... and we liked it.
  • FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    edited April 2009
    Update:

    Ran netstat on a workstation, and it does show that VNC is listening on the nondefault port: 6101.

    The RealVNC server configuration dialogs show that it is listening on 5900.

    Doing a search in the registry for the string "6101" doesn't reveal anything related to VNC.

    But this gives me something to go on. Thanks, guys.

    Feral on
    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • RuckusRuckus Registered User regular
    edited April 2009
    Hmmm. I wonder if XP SP2+ firewalls have any port mapping/forwarding capabilities?

    Ruckus on
  • FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    edited April 2009
    Ruckus wrote: »
    Hmmm. I wonder if XP SP2+ firewalls have any port mapping/forwarding capabilities?

    I thought of that too. The XP firewall and TCP filtering features were turned off.

    I'm thinking there might be an additional instance of VNC installed, like a "silent install" or something like that.

    Feral on
    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • embrikembrik Registered User regular
    edited April 2009
    Feral wrote: »
    Ruckus wrote: »
    Hmmm. I wonder if XP SP2+ firewalls have any port mapping/forwarding capabilities?

    I thought of that too. The XP firewall and TCP filtering features were turned off.

    I'm thinking there might be an additional instance of VNC installed, like a "silent install" or something like that.

    That's what I was thinking. Check your services on the machine.

    embrik on
    "Damn you and your Daily Doubles, you brigand!"

    I don't believe it - I'm on my THIRD PS3, and my FIRST XBOX360. What the heck?
  • ThomamelasThomamelas Only one man can kill this many Russians. Bring his guitar to me! Registered User regular
    edited April 2009
    Ruckus wrote: »
    Hmmm. I wonder if XP SP2+ firewalls have any port mapping/forwarding capabilities?

    So I did a quick test of it on my test box, which has a listening VNC server. And the local netstat reports it as 5800 and 5900 respectively even though the firewall is configured to forward 6101 to 5900.

    As a longshot Feral, are the people with incoming connections using the Java server connection or the regular one?

    Thomamelas on
  • FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    edited April 2009
    embrik wrote: »
    Feral wrote: »
    Ruckus wrote: »
    Hmmm. I wonder if XP SP2+ firewalls have any port mapping/forwarding capabilities?

    I thought of that too. The XP firewall and TCP filtering features were turned off.

    I'm thinking there might be an additional instance of VNC installed, like a "silent install" or something like that.

    That's what I was thinking. Check your services on the machine.

    VNC isn't running as a service, and the task list doesn't show anything that could obviously account for a VNC app, other than the single instance of VNC I see running the system tray. (Neither services.msc nor NET START show any VNC-related services running at all.)
    Thomamelas wrote: »
    Ruckus wrote: »
    Hmmm. I wonder if XP SP2+ firewalls have any port mapping/forwarding capabilities?

    So I did a quick test of it on my test box, which has a listening VNC server. And the local netstat reports it as 5800 and 5900 respectively even though the firewall is configured to forward 6101 to 5900.

    As a longshot Feral, are the people with incoming connections using the Java server connection or the regular one?

    I don't think they're using the Java server connection. What they say is they go to a remote location, plug in their IP address and external port number in the form 208.81.201.34:6101 into a RealVNC client and connect up.

    At this point, it's turned into more of an intellectual puzzle than anything else. I'm now certain that it's just some weird software config running on the workstation machine, which means that if I need to reinstall Windows or set up a new user I can do it right (with port translation on the router) and make it work.

    Thanks, everybody.

    Feral on
    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • embrikembrik Registered User regular
    edited April 2009
    Before I forget, I was troubleshooting another PC, and remembered that the Netstat command will give you the process ID number corresponding to each open port when you do netstat -a -o. This will tell you which process has the port open. Useful for determining just which program is the culprit.

    Edit - the PID is listed in the Task Manager (and Process Explorer, etc). In the task manager, it's not displayed by default, but you can show it by going to the view menu and choosing "Select Columns...". Then check the PID checkbox.

    embrik on
    "Damn you and your Daily Doubles, you brigand!"

    I don't believe it - I'm on my THIRD PS3, and my FIRST XBOX360. What the heck?
  • FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    edited April 2009
    Solved:

    The prior system administrator added the command-line option "-listen port" (ie., -listen 6101) to the shortcut to launch the VNC listener on each machine.

    This one of those "god it was so simple once I found the problem" sorts of issues.

    Feral on
    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
Sign In or Register to comment.