I have a customer who is connecting remotely using VNC to a computer inside an office network that has a Cisco 827 connecting to the Internet. Previously the remote PC had a static IP address and I was using the following syntax to restrict access to this address: access-list 101 permit tcp host 220.127.116.11 host 18.104.22.168 eq 5900 where 22.214.171.124 is the remote static IP and 126.96.36.199 is the Cisco static IP and port 5900 is for VNC. I have another entry earlier it pinhole 5900 as follows: ip nat inside source static tcp 192.168.1.6 5900 188.8.131.52 5900 extendable where 192.168.1.6 is the VNC host PC inside the office network. The customer is now using a 3G card which can't get a static address. However they IP they get assigned is within an IP address range such that the first 2 octets are the same. ie 184.108.40.206 or 220.127.116.11. I entered the following line into the Cisco box but it isn't allowing access. access-list 101 permit tcp host 18.104.22.168 host 22.214.171.124 eq 5900 I figured the .0.0 should allow access to anyone connecting from 1.2.x.y. Can anyone please enlighten me on how to make this work?