cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1323
Views
4
Helpful
9
Replies

Port forwarding and firewall rules

Anthony Wood
Level 1
Level 1

I have a RV042 in one office and we are moving to a VOIP telephone system.

They requested a bunch of ports open, and I wanted to make sure that only thier IP addresses get into the local net.

I setup port forwarding to forward ports internally to their phone server, and then I setup firewall access rules only allowing their IP addresses into that phone server.

Now it seems as if all of the ports I forwarded are wide open!

What did I do wrong?

Any help is greatly appreciated!

Ant

1 Accepted Solution

Accepted Solutions

Hello Anthony,

You can do print/screen if you like ( easier,faster)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

9 Replies 9

Julio Carvajal
VIP Alumni
VIP Alumni

Now it seems as if all of the ports I forwarded are wide open!

What do you mean, do you mean anyone can access it??

Can you share the configuration you used on that router

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I am unsure as to how to do that?

Do I need to telnet/ssh into the router?

Thanks

Anthony

Hello Anthony,

You can do print/screen if you like ( easier,faster)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Here you go.

Thanks again!

Hello Anthony Wood,

It is difficult to check the configuration with the screenshots but I will try to help you,

What you need to do with the ACL on the WAN interface is to allow traffic to the WAN interface ip address on the right ports ( SIP.HTTPS,FTP,etc) and then just configure a deny IP any any so you can allow the traffic required and then deny the rest of them,

Also how did you test the router is open to the outside world?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I used a port scanner and it came back that ftp, telnet and http were open.

I am not sure what you mean by this.

 "What you need to do with the ACL on the WAN interface is to allow  traffic to the WAN interface ip address on the right ports (  SIP.HTTPS,FTP,etc) "

Are you saying to create a rule for every outside VOIP address to access WAN IP address, for every protocol needed?

Also if you need clarification on somehting let me know.

Thanks

Anthony

Are you saying to create a rule for every outside VOIP address to access WAN IP address, for every protocol needed?

     Exactly. that would be the most secure desing, now it will be the less scalable and easy to configure. So as this is a voice desing and there are going to be random ip addresses connecting permit just the right ports on the outside from any to the right TCP/UDP ports and then just a deny IP any/any on that outside interface.

Regards.

Remember to rate all of the helpful posts

*** How to rate a post, mark the stars on the bottom of each reply, 5 being a thanks for the good answer 1 being a bad answer********

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

What is "desing"?

Do the port forward rules apply to traffic before the firewall rules?

Thanks!

I mean design

No, NAT goes afterwards.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: