Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1728
Views
0
Helpful
6
Replies

Can't access the internet from RV320's DMZ

UlrikFriisConsult
Level 1
Level 1

‎04-26-2015 09:57 AM

When upgrading to 1000 Mbit/s internet connection I bought the RV320.

My setup:

RV320 - Firmware 1.1.1.9
Working mode: Gateway
Fixed IP from ISP via DHCP
DMZ enabled 10.7.7.1 (10.7.7.0/24)

When I enabled the DMZ, the RV320 wrote new access rules on the fly (attached).

I can access my DMZ server from LAN  via RDP. But the server has no internet access.

There are no hints in the administrator's guide what else to configure. Is there anything else to configure when running DMZ?

Regards

Ulrik

 

1 person had this problem
Labels:
Preview file
109 KB
0 Helpful
6 Replies 6

aforster.home
Level 1
Level 1

‎06-17-2015 11:26 AM

It seems there are several questions on this matter, but no one to respond.. not even a "no.. it wont work".

 

Anyone from Cisco could please take a look on this?

 

Thanks.

0 Helpful

UlrikFriisConsult
Level 1
Level 1
In response to aforster.home

‎06-17-2015 12:49 PM

Well - it all boils down to a crappy manual. Administration and configuration of the RV320 is miles apart from ie. ASA 5505, and if Cisco had bothered to write a decent manual and explained how the DMZ works on the RV320, then I wouldn't have spend hours to solve the problem.

The ASA 5505 can easily administer a DMZ with only one IP#. The RV320 can't. It needs two IP#s. And I have only one.

And it would have been nice to get an answer from Cisco on my question. But no! I think this was the last Cisco router for me and my costumers.

0 Helpful

aforster.home
Level 1
Level 1
In response to UlrikFriisConsult

‎06-18-2015 06:58 AM

Ulrik,

 

What do you mean by "1 IP ou 2 IPs"? Public IPs on the WAN1? Do we need a specific IP to NAT the DMZ subnet (and not the WAN1 IP)?

0 Helpful

UlrikFriisConsult
Level 1
Level 1
In response to aforster.home

‎06-18-2015 08:16 AM

When you change the setting for the WAN 2 port to be DMZ port you need an extra public IP number. It took me hours to figure that out. Cisco could have mentioned this in the manual, but they didn't.

I have configured my RV320 with a VLAN, where I have placed  the DMZ servers and in the firewall setting made ACLs allowing http, ftp, smtp, pop3 and imap traffic from WAN to the VLAN. And I have in Setup -> Forwarding included the same traffic.

This works except for the ftp probably because I don't use the standard port 21 for my server.

But this device is not documented as for example the ASA 5505 is. In the ASA you can include ports for various services, but this is not an option in the RV320.

I will never spend money on any low grade equipment from Cisco.

 

0 Helpful

aforster.home
Level 1
Level 1
In response to UlrikFriisConsult

‎06-18-2015 10:00 AM

Well, if the DMZ port only works for internet outbound traffic if you have a public IP, your solution seems to be the only applicable way to have a separated vlan for those hosts wihich receive internet inbound traffic. The problem with that I'm not sure if you can restrict that DMZ subnet from accessing the internal network as the firewall does not recognize vlans as inbound interface when creating the rules. Maybe a Layer 3 filter that specify the inbound interface as "LAN" would work, but not sure how isolated them would be from each other due to the lack of documentation.

It would be a lot easier if they could allow us just to create NAT rules instead of trying to make only a user-friendly interface (that misses a lot of stuff).

0 Helpful

Rickam
Level 1
Level 1

‎12-16-2020 08:51 PM

Oh my.  It's a full 5 years later and Cisco have not replied to your question.  It sure would be nice if even their lowest tier support staff would occasionally visit the community and chime in with some answers.

My experience with the RV320 DMZ (using the DMZ port on the rear), was that the server connected to the DMZ port would accept inbound HTTP connections from the WAN, but could not initiate any outbound connections.  This server cannot ping google, resolve names, or anything. 

I have the same sentiment as others about configuring this particular Cisco device.  The VPN has also been problematic (could not get it to work with any client including openVPN. Better documentation is required, and or some intervention here in the forum.  This is a small business product so the documentation should even contain working examples.  Some older Cisco small business routers have fantastic documentation.   

CLS commands for the device are also very limited. No fun for me because I actually like using Cisco CLS.  

0 Helpful
Customers Also Viewed These Support Documents