Cisco RV110W Firewall Settings in Router Mode

danielheppner · ‎10-15-2013

Hello,

I have a Cisco RV110W in Router Mode because I don't want to use NAT.

The WAN side is configured with a static IP address (10.0.0.2). One more PC is connected to this network with address 10.0.0.3

The LAN side uses the default configuration (IP 192.168.1.1) and some PCs are connected.

The firewall is enabled in the Basic Settings page. Default outbound policy is set to "allow". One access rule always allows traffic from WAN to LAN side on port 35101, because there is a TCP server running.

1. Why can I only specify one destination IP and not an IP range. Why is it not possible to allow TCP traffic on one port for all devices on LAN side?

2. The manual says that once the firewall is enabled, all incoming traffic that matches no access rule is blocked by default. I don't see that here. All traffic reaches the destination until I create an access rule that explicitly blocks.

3. Rules for the ICMP protocol do not seem to work. If an access rule for blocking ICMP is enabled, I can reach all devices using ping.

I hope someone has an idea whats wrong with my configuration.

Thanks,

Daniel

lariasqu · ‎10-17-2013

Hi, thank you for using our forum, my name is Luis I am part of the Small business Support community. I am glad to provide the proper answer for your questions.

1.Following the admin guide in page 88 you are able to specify a range of the source that you select in step 3. For example, if you select WAN to LAN in this case the range that you need to specify is the WAN included to the rule and vice versa. That will be the source range. Below you can find the Admin guide link.

http://www.cisco.com/en/US/docs/routers/csbr/rv110w/administration/guide/rv110w_admin.pdf

2.For this feature you need to select Deny in Default Outbound Policy, so by default the IP address that don´t match to any access rule will be denied. (Don´t forget to save the changes when you change the option).

3.For the ICMP protocol you could create a service in Firewall > Service Management, put a service name and select ICMP protocol, then create an ACL for this protocol.

I hope you find this answer useful

Greetings,

Luis Arias.

Cisco Network Support Engineer.

danielheppner · ‎10-17-2013

Hi, thank you for your answer.

1. I don't understand this. I have multiple tcp servers on the LAN side listening on port 35001 for connections. They have the IP adresses 192.168.1.10 to 192.168.1.15. I want to allow connections from any WAN IP to each of this servers. Why cant I create an ACL like this: Always allow TCP 35001 from any to any? Or from any to 192.168.1.10-192.168.1.15

I can only create multiple access rules because the drop down menu is disabled and only allows a single IP:

Always allow TCP 35001 from any to 192.168.1.10

Always allow TCP 35001 from any to 192.168.1.11

...

Always allow TCP 35001 from any to 192.168.1.15

2. The admin guide says:

- "The Access Rules page allows you to configure the default outbound policy.." <- This means LAN to WAN, is that correct? I would like to allow all traffic from LAN to WAN.

- "The default inbound policy for traffic flowing from the non-secure zone to the secure zone is always blocked and cannot be changed." <- WAN to LAN? I want to deny all traffic from the Internet to the local network except one TCP port. My problem was that the default inbound policy does not work with my device.

3. This is exactly what I did, and it does not work.

Elia Gargini · ‎01-19-2016

Same problem: the default inbound policy doesn't work.

With a port forwarding configured, firewall is bypassed. Without port forwarding, even with an access rule I can't access.