cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1731
Views
0
Helpful
5
Replies

How do you successfully configure static NAT on RV180(W)?

ExertiveSystems
Level 1
Level 1

I have new RV180W sucessfully working as a router and VPN appliance with 2 VLANs configures for wired and wireless devices on different subnets. I would now like to configure the firewall with one-to-one NAT to use the rest of a block of static public IP addresses issued to me by my ISP. So far I have followed the steps outlined in the documentation with very limited success. I can ping a remote server but not access a web page in a browser.

Here's what I have done so far:

Public static IP addresses:

    123.456.789.A = Static public IP address of RV180W

    123.456.789.B - E = Remaining static public IP addresses (to be used)

Private IP addresses:

  Wired

    192.168.X.1 = Static private IP address of RV180W on wired LAN subnet (VLAN 1)

    192.168.X.2 - 14 = Rest of  wired LAN subnet

    255.255.255.240 =  Wired LAN subnet mask

  Wireless

    192.168.Y.1 = Static private IP address of RV180W on wireless LAN subnet (VLAN 2)

    192.168.Y.2 - 14 = Rest of  wireless LAN subnet

    255.255.255.240 =  Wireless LAN subnet mask

Step 1: Firewall > Advanced Setting > One-To-One NAT > Add

  Add  a new NAT configuration with the following settings:

    Private Range Begin: 192.168.X.2
    Public Range Begin: 123.456.789.B
    Range Length: 4 (i.e. B - E) 
    Service: Any

Step 2: Firewall > Access Rules > Add

  Add a new outbound access rule with the following settings:

    Connection Type: Outbound  

    Action: Always allow

    Service: Any

    Source IP: Any  

    Destination IP: Any  

    Rule Status: Enabled

Step 3: Firewall > Access Rules > Add

  Add a new inbound access rule with the following settings:

    Connection Type: Inbound  

    Action: Always allow

    Service: Any

    Source IP: Any  

    Send to Local Server (DNAT IP): 192.168.X.2

    Use Other WAN (Internet) IP Address: Yes

    WAN (Internet) Destination IP: 123.456.789.B

    Rule Status: Enabled

This done all I can do is to ping a remote server. Looking at outbound/inbound accepted/dropped packets in the firewall log I see only accepted packets. [ps Thanks Cisco for telling us that firewall logging is available under Severity = Debugging! NOT!!] This suggests that the problem lies with the NAT process not with the firewall.

Can anyone tell e what I'm missing or getting wrong. I would like to set up static NAT rules to tie servers to specific public IP addresses but have yet to take this step.

David Aspinall

Exertive Systems

5 Replies 5

mpyhala
Level 7
Level 7

David,

You can and should eliminate step 2. Outbound traffic is already allowed. Everything else looks correct.

- Marty

mpyhala

That nothing changes if I leave the outgoing rule disabled proves your point. However, it leaves my exactly where I was. I remain suspicous of the NAT given how its configured. Am I right is assuming that the translation is one-to-one and sequential, i.e. 123.456.789.B <-> 192.168.X.2, 123.456.789.C <-> 192.168.X.3, 123.456.789.D <-> 192.168.X.4 and 123.456.789.E <-> 192.168.X.5?

What is the relationship between (1) the (physical) LAN in Networking > LAN (Local Network) > IPv4 LAN; and (2) the virtual LANs (VLANS) in Networking > LAN (Local Network) > Multiple VLAN subnets, in terms of addressing. I have the physical equal to VLAN1 (wired). Could this be my problem? Does NAT know to map to VLAN?

David

David,

Translation is one-to-one and sequential.

The physical LAN by default is always VLAN 1. One-to-One NAT should definitely work with VLAN 1 and I see no issues with the way you have it configured.

One thing that I have seen is the "secondary" IPs in a block not being active. To resolve this, configure the WAN port of the router with 123.456.789.B instead of 123.456.789.A and see if you have internet access. If you do, reconfigure One-to-One NAT and see if that address works when translated. You may have to "activate" each address in the block this way. This is an issue on the ISP side.

Another thing to try is to eliminate the Access Rule for inbound traffic. Just make the One-to-One NAT association and see if you can get out from the servers. If you can, then create the Access Rule to allow inbound traffic and test.

- Marty

Marty,

Thanks for your prompt replies. I think you're on the right track in you first suggestion. I had forgotten that I had set the RV180W to pick up the static IP address via PPPoE in Networking > WAN (Internet) > IPv4 WAN (Internet). This must clearly prevent things from working by 'blocking' the other IP addresses and always sticking to 123.456.789.A.

The unfortunate thing is, however, that this was the only way I could get the unit to connect to the Internet (via a Draytek Vigor 120 DSL modem). If I set the Internet connection to Static IP with all the relevant settings it fails.

I guess I will have to beaver away there until it works until sorting out the Firewall/NAT config.

David

Has anyone been able to actually get this to work?  I can't get my RV180 to see any of my additional IP's to save my life.  Every router I've ever bought has never been this gosh darn difficult to configure, and for something as simple as a multiple IP address.  I wonder if their engineers sit in a room and honestly think of ways to not make things simple or if they just don't get it?