12-15-2010 05:05 PM
I have a client w/ an RV042 and she would like to selectively prohibit WAN access for specific computers on the LAN while still allowing them to use their browsers for server http access on port 80. The firewall deny rules don't seem to work as you might think - deny all traffic for a specific IP address and you can still browse the web at will.
Thanks
Attached files are;
saved config file from RV042 (saved as .txt not .exp)
PDF print of the firewall config page
Thanks
12-16-2010 09:42 AM
Mr. Peterson,
Can you attach the rules you have created to the forum, I can look at it and see if I see anything wrong with the settings?
12-17-2010 05:38 PM
Posted the files David, thanks.
12-22-2010 04:14 PM
Your description and your firewall rules don't match.
Since your description is not... precise (actually I don't understand what you are trying to say, deny all WAN traffic, but allow access to one server on port 80? or deny almost all WAN traffic except port 80 traffic?) its hard to say how to fix things, several problems are evident: the POP3 and SMTP rules are in the wrong order, I assume you wanted to allow all mail traffic, then put them first, i.e. the way they are now, if one of the deny rules hit then the other rules won't even be evaluated.
12-28-2010 03:39 PM
Renee,
Briefly - I have a client who would like to deny Internet access to specific IP addresses in her office but allow them to retain port 80 access for internal server applications. I've followed Cisco tech support suggestions but they have not worked.
Thanks for any help you can provide.
Cheers,
Michael
12-28-2010 04:19 PM
That's easy, just put an "allow rule" on top that allows traffic from Any(Any) to Singe IP (the internal Web server) for service HTTP.
Then add "deny rules" for each IP or range of IPs that shouldn't have Web access; source LAN, single or range IP, destination Any, service HTTP. Notice that this rule doesn't stop HTTPS and many other services that could be abused: messenger, torrent, even http using a proxy on a different port; but it stops any direct connection to port 80 not allowed by the first rule.
To fix the "user workarounds" (like using a proxy to by-pass the deny on port 80) you can add rules blocking traffic from WAN1 (and similar for WAN2) to the specific LAN IP; source WAN1(Any), destination LAN (IP or range), service All Traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide