cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5546
Views
5
Helpful
20
Replies

RV-320 Port Address Translation not working

BarryJoseph
Level 1
Level 1

Hi all,

I have a really odd issue that is driving me crazy.  I have a somewhat complex setup which goes something like:  ISP Cable Modem ==> Router ==> ASA5505 ==> Internal LAN.  Have a few servers on the internal network I need to be able to access from outside.

Everything was working great until I decided to trade in my old 1841 router for this RV router, since it has faster WAN interfaces and uses less power.  Initial setup was extremely easy.  Port Address Translation is enabled by default, so my internal clients can get out to the 'net with no problem.  But no matter what I try, I cannot access internal servers.

I contacted Cisco support.  They spent about 2 hours on my machine, and ultimately told me the issue is with my ASA (which is no longer under warranty).  But yet I can unplug the RV and reconnect the 1841 (or an older 1605 I still have) and everything starts working.

To prove or disprove the ASA being the culprit, I decided to test trying to open an SSH session to the ASA itself.  This would not require double-nat, since the ASA doesn't need to forward this traffic on to another internal device.

Once I attempt a connection (and it fails), I check the "incoming" log on the RV.  It gets 3 hits, showing "Successful connection".

Details of the log are strange.  It shows the incoming port as Eth1, and outgoing port Eth0.  Seems to me this should be the other way around, as I am using WAN1 as my ISP port, and WAN2 for my internal network.

The Source IP Address matches with the outside IP I am using; the internal correctly lists the ASA

Most confusing are the MAC addresses listed.  The Source MAC doesn't belong to anything I own, as far as I can tell.  I checked all of the interfaces on the RV, the ASA, and my switches.  The MAC (00:12:d9:54:a7:63) shows as belonging to Cisco.  My cable modem is a Cisco device.  But it shows a completely different MAC.  So this is a mystery.  Then the Destination MAC address resolved to the WAN1 interface on the RV.  Is *that* correct?

Please tell me where I can go from here.  I can't believe this device is unable to properly perform port address translation / redirection.

Thank you!

Brian

20 Replies 20

Brian,

Setup-> Forwarding, Service Management

Create a service for ports 1-442 and another for 444-65535 TCP&UDP

Now create two forwarding rules and use the new services. This should leave 443 going to the RV320 and all other traffic to the ASA.

- Marty

We'll I tried doing as you recommended, to enable remote administration over port 443.  Unfortunately it wouldn't allow me to create the ranges, since they already exist.  Most likely in the range I'm already using; all ports (udp and tcp).  I probably need to remove that range in order to add the ones you recommended, but of course that will temporarily break my internet connection (and I ran out of time). So I will try again tonight when I have a few minutes to mess with it.  Will let you know hoe it goes.

Thanks,

Brian

Just a really quick update.   I was finally able to get port 443 removed from port forwarding, but it was no easy task!  I was unable to remove the "Forward all ports UDP/TCP" built-in rule.  Nor can I remove any of the other built-in rules (there are quite a few).  And since they exist, the router won't allow me to create any rules that overlap with existing rules.  So I had to get around this by doing something like:

-TCP Rule 1: Fwd TCP ports 1-20

*** Rule for Port 21 already exists ***

- TCP Rule 2: Fwd TCP port 22

*** Rule for port 23 already exists ***

- TCP Rule 3: Fwd TCP port 24

*** Rule for port 25 already exist ***

All the way up to 65535.  And then had to do again for UDP.  I wonder if there's an easier way, but I didn't see it.

Anyhow now that this is all working (thanks again for all your help!!) I am back to my original problem:  I can't access internal hosts from outside.  I do now think it's an ASA issue and no longer an RV issue.  (Although I still blame the RV for not working the way the other routers work!!) 

Please let me know if I need to move this discussion to another area, instead of contuing on under "Small Business Routers".

Thank you!

Brian

Brian,

Sorry about the way you had to go about creating custom services, I didn't realize that it wouldn't allow known ports. I'll see if I can find someone here who can give advice regarding the ASA setup, although it would be a good idea to post your config and questions in those forums.

- Marty

Finally got this working.  Thanks to all (especially Mpyhala).  Final resolution was to turn off port forwarding, go back to PAT rules for each port, along with STATIC translations on the ASA.

-Brian

Barry,

Glad to see you got it figured out! Thanks for posting the solution.

- Marty