cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8240
Views
0
Helpful
6
Replies

Restricting port forwarding to a single external IP address

bradummer
Level 1
Level 1

I have what I think should be a pretty simple question. I think I'm just not understanding how port forwarding works together with access rules.

We have a computer (10.4.20.60) on our LAN that's running a web server (port 80), and I'd like to make it available to a single IP address (let's say 123.123.123.123) outside the LAN. I can set up Forwarding to forward port 80 to 10.4.20.60 and that works fine, but it's open to any outside IP address. So I then created a Firewall > Access Rule to restrict port 80 access to only the external IP address. However as soon as I do that, all access to port 80 is blocked. The access rule I set up was:

Priority: 1

Policy Name: HTTP

Enabled: X

Action: Allow

Service: HTTP[80]

Source Interface: WAN1

Source: 123.123.123.123 ~ 123.123.123.123 (I'm actually using the correct IP)

Destination: 10.4.20.60

Time: Always

As I said, as soon as I added and enabled this access rule, everything to 80 is blocked. As a test, I modified the rule above to be open to all sources and destinations:

Priority: 1

Policy Name: HTTP

Enabled: X

Action: Allow

Service: HTTP[80]

Source Interface: WAN1

Source: Any

Destination: Any

Time: Always

Even with these settings access to port 80 is blocked from all outside IP addresses. Below is a screenshot of my current Access Rules page. What am I doing wrong?

6 Replies 6

charlessimpson
Level 1
Level 1

Please let me know if you resolve this because i'm trying to restrict port 443 to only 1 external ip address. Thanks. 

Te-Kai Liu
Level 7
Level 7

Which router and firmware do you find the issue?

Sorry I didn't specify that initially. I'm using a RV042 running 1.3.12.19-tm.

You might find this thread helpful.

https://supportforums.cisco.com/message/3100511#3100511

I think I might just be fundementially misunderstanding how the firewall Access Rules work. I did the following:

  • To eliminate conflicts, I restored the access rules to the default. That gave me the three default rules- Allow All on LAN, Deny All on WAN1, Deny All on WAN2.
  • I confirmed that I have Forwarding set up to forward all outside connections on port 80 over to our internal web server (10.4.20.60)
  • With no custom Access Rules set, and with port 80 being forwarded, from the outside I tested accessing the web server and was able to access it.

This bring up my first question. I would have thought that the default Deny rule (All Traffic, WAN1, Any, Any, Always) would have blocked all outside (WAN1) traffic. Why doesn't it? Are the Access Rules here overridden by the Forwarding rules? Is this always the case?

Continuing on with my test:

  • I then added a single access rule to enable HTTP connections from any outside source to the internal web server (10.4.20.60) destination. (See attachment) I would have thought that this wouldn't affect anything, since these connections were already being allowed and this rule would seem to just confirm that the access is enabled. However when I added (and enabled) this rule, I could no longer access the web server from the outside.
  • Referencing the other thread that you suggested, I tried added a HTTP Deny rule below the access rule, but that didn't change anything- I still couldn't access the server from the outside.
  • I deleted the Deny rule and still couldn't access the server.
  • I disabled the HTTP Allow rule and could once again access the server.

What am I missing here?

Hello Brad,

I am with the Cisco Small Business Support Team. I have been unable to replicate your issue with an identical router with the same firmware (I also tested with 1.3.13.02). It does not seem you have a configuration issue. I matched your settings except that my internal address range was 192.168.75.x and I used a different external address.

Also, I did not use a web server or a IIS enabled computer to test this. I ran wireshark on the local computer (92.168.75.101) to see the packets come through the router and to the computer. I tested with http over port 80 as well as telnet over port 23.

My suggestion to run wireshark and run the same tests. This way you can see if the inbound traffic is at least making it through (the issue might not be with the inbound traffic but the outbound).