I have a customer who is connecting remotely using VNC to a computer inside an office network that has a Cisco 827 connecting to the Internet. Previously the remote PC had a static IP address and I was using the following syntax to restrict access to this address: access-list 101 permit tcp host 1.2.3.4 host 4.5.6.7 eq 5900 where 1.2.3.4 is the remote static IP and 4.5.6.7 is the Cisco static IP and port 5900 is for VNC. I have another entry earlier it pinhole 5900 as follows: ip nat inside source static tcp 192.168.1.6 5900 4.5.6.7 5900 extendable where 192.168.1.6 is the VNC host PC inside the office network. The customer is now using a 3G card which can't get a static address. However they IP they get assigned is within an IP address range such that the first 2 octets are the same. ie 1.2.33.44 or 1.2.55.66. I entered the following line into the Cisco box but it isn't allowing access. access-list 101 permit tcp host 1.2.0.0 host 4.5.6.7 eq 5900 I figured the .0.0 should allow access to anyone connecting from 1.2.x.y. Can anyone please enlighten me on how to make this work?