It appears I am talking to myself but here goes.  I have figured out part of the problem.  The port forwarding rules and UPnP rules will work if the WAN IP is used.  I have a public static IP block and need to route some services to other IPs in the block. I have 1:1 NAT setup, proper DNS for all IPs, but I can't route to the servers behind my RV042G using their public IP.  I know I am missing some rule.  Could someone please help me finish this.

-Thanks

Good morning

Thanks for using our forum

Hi Sp, my name is Johnnatan and I am part of the Small business Support community. Another feature that you can use in this router is the Port Triggering, here I share with the instruction about how to use it, http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=298

With this feature you can specify end-ports. I f you use port-forwarding and UpnP you could have some ip conflicts. I hope you find this answer useful,

*Please mark the question as Answered or rate it so other users can benefit from it".

Greetings,

Johnnatan Rodriguez Miranda.

Cisco Network Support Engineer.

Jonathan,

Thanks for the response.  I tried to set port triggering, however it seems to be for outbound packets.  I need to redirect packets inbound.  The major issue I need to solve is this:

I need to redirect 2525 to 25 on a different public IP in my WAN subnet.  I can do it with UPnP, but only to the WAN address.

I am testing this RV042G as a model exchange for the RV180.  On the RV180 Access Rules there was an "other WAN IP" option that does not appear on this router.  While the RV042G fixed other problems, it created this problem.  I just need to redirect to a port on an "other WAN IP". 

You may use DMZ subnet range then simply configure the server with public ip within that range specified on the dmz.

-Tom
Please mark answered for helpful posts

I am currently using 1:1 NAT to expose the servers and Access Rules to lock it down.  The servers have private addresses.  Is it better to use DMZ than 1:1 NAT?  And if so, how specifically can I redirect an external port to a different internal port on one of the public ip's in the range?

If this is a better way to go, I am open to changing the network config and running all servers on the DMZ port.

Example

WAN range is 75.75.75.75 through 75.75.75.80

WAN IP is 75.75.75.76

DMZ range is 75.75.75 77~80

Server A is 75.75.75.77

Server B is 75.75.75.78

Server C is 75.75.75.79

Server D is 75.75.75.80

Setting the DMZ range will allow all services to be able to hit the servers. Unlike 1-1 nat you may specify all services or 1 service. So as long as the server is listening for a port number, then it won't make a difference. Since you will be using different public IP per server, overlapping port numbers won't make a difference since it is on a different inbound request.

-Tom
Please mark answered for helpful posts

Thanks for the reply Tom, however I could accomplish this without a router.    I NEED to have firewall protection and I guess that is the piece I am missing.  I fully understand the scenario above.  I could connect the modem to a switch and assign a static IP to each server by entering it in the network config and connect it to the switch.  Then all services on all servers would be available wide open on the internet.  If you are telling me that I can still have the servers in the private range and do this, then I am very interested in giving it a try.

Tom,

Thinking more about this - are you saying that I could use the firewall to protect the servers even though they are using the public IP's on DMZ?  That would work if it is possible.  If I can use firewall services without NAT on the servers, then that is doable.  One of my servers has a firewall built in and it protects the machine no matter what the IP address is however the others don't.  Let me know.

Well that is a bust!!  I tried to enter the static range in the DMZ and it REQUIRES a WAN static connection.  My Statics are routed using PPPoE - so I'm dead in the water going that route.

Ok this is interesting?!? I entered the 1st usable public IP and the subnet in DMZ and it created an Access Rule for the public block AND a deny rule for the LAN.  Maybe I can make this work with a little assistance.  So here are some questions.

1) If I connect the servers to the DMZ port, should I enter public addresses in each of them?  They all have private addresses right now

2) If I use public addresses, can I still protect the servers with the firewall Access Rules?

3) How does the DMZ Host play into this?  It currently has the address 10.0.1.0 which is in the private subnet.

I can't have a long downtime so I can't do a lot of trial and error.  Any assistance is appreciated.

If you use "dmz host" you can use access rules on the firewall to  restrict traffic. The dmz host would be a private IP address on the LAN. The problem is dmz host can only support 1 host.

Basically, it sounds like you need a router that does port translation. Where the WAN port number gets converted to the internal LAN port number (which in this case can be duplicated many times on the LAN side).

If you're not able to use DMZ subnet range and the servers cannot use distinct port numbers for inbound services, it sounds like this is not the right product for you.

-Tom
Please mark answered for helpful posts

1) If I connect the servers to the DMZ port, should I enter public  addresses in each of them?  They all have private addresses right now.

>The computers in DMZ range/subnet should be configured with static public addresses.

2) If I use public addresses, can I still protect the servers with the firewall Access Rules?

>I suppose so.

3) How does the DMZ Host play into this?  It currently has the address 10.0.1.0 which is in the private subnet.

>DMZ Host can work in parallel with DMZ Range/Subnet.

3)  You DO NOT want to use the DMZ Host, so just forget about that.

1)  If you connect the servers to [a switch connected to] the DMZ port, this will have to be a secondary NIC with the public IP - you also have to be careful of this config as the DMZ NIC will have a gateway but not the LAN NIC.  Also, you want to unbind MS networking clients and certain services (DHCP, DNS) from the DMZ NIC.   You're probably better off using 1-to-1 NAT

2a)  The firewall works between all networks.  It can control traffic between the WAN and LAN, WAN and DMZ, DMZ and LAN, in both directions (six possible directions).  The DMZ is locked down just like the LAN unless you open up access to it, except by default the LAN can get to the DMZ.

2b)  Port Forwarding and UPnP bypass the firewall, entering a matching firewall rule won't do anything except create problems/confusion.   I have not tried using either of these with a DMZ or 1-to-1 NAT address as the destination.  I would think that you could use UPnP or Port Triggering in conjunction with the 1-to-1 NAT but you'd have to get it just right.  Could also be that it's just not possible.

*** the big question is:  with separate IP's per server, why do you need to translate the port?  Is this for security purposes?   You should just be able to use the standard port numbers, or change the listening port at the server.