RV042 Firewall page settings / interactions

fmarshall · ‎02-06-2013

I have an RV042 which is being used as an interface to an ISP.

The WAN address (public) is obtained via PPPoE.

The LAN address (also public) is entered manually from an assigned block of public addresses. This is the internet gateway for other publicly-addresses devices like firewalls, VPN devices, etc.

I have an RV042 to play with as will as one in production that I can access.

Because the accesses are both through public addresses, I want to use https to access the device. I've generated a number of questions as I'm not sure the behavior is understandable to me and maybe the behavior isn't even consistent.

- If the firewall is Disabled, the https setting is still available. So, presumably https will work with the firewall enabled or disabled? Is that right?

- I take it that the Remote Management setting and port number are associated with the WAN port. For example, can one set Remote Management ON with port 443 and still access via the LAN on port 80? on port 443?

- If Remote Mangement is OFF then I presume that one cannot access the device through the WAN. Yet, that seems to not be the case. I wonder if the public addresses on this device affect this?

Well, I guess we might forget about the Port number and just ponder the following - if anybody knows for sure: Sort of a truth table:

Remote OFF

http...........WAN access: NO LAN access: YES

https..........WAN access: NO LAN access: YES

Remote ON

http...........WAN access: YES LAN access: YES

https..........WAN access: YES LAN access: YES

This is what it would seem to me to be but it doesn't seem to work that way.

Or, maybe I'm just missing something important here?

jonatrod · ‎02-12-2013

Good morning

Hi Fred, thank you for using our forum, , my name is Johnnatan I am part of the Small business Support community. I will be more than glad to answer your questions, the firewall depend of the OS you are running, can I ask you what is your OS?

You can create an access list in the firewall of your router and then set in port triggering the port where you want to access so you can configure both port to gain access...

If you just disable the remote management you just going to turn off it, and the public address don't going to have any effect.

I hope you find this answer useful,

*Please mark the question as Answered or rate it so other users can benefit from it"

Greetings,

Johnnatan Rodriguez Miranda.

Cisco Network Support Engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.

fmarshall · ‎02-12-2013

I'm not at all sure what difference a workstation OS would have to do with how the RV042 behaves.

Perhaps you're thinking ahead to working with an RV042 / firewall settings / etc? But I'm not at that stage yet.

I don't know the OS of the RV042.

Dan Miley · ‎02-12-2013

I've generated a number of questions ...

- If the firewall is Disabled, the https setting is still available. So, presumably https will work with the firewall enabled or disabled? Is that right?

This setting is for the Administrative web page of the device, and should work either way.

- I take it that the Remote Management setting and port number are associated with the WAN port. For example, can one set Remote Management ON with port 443 and still access via the LAN on port 80? on port 443?

Remote management is for the WAN port, management is always on for the Lan side (see below).

I believe these settings are the same for the Wan and Lan.

- If Remote Mangement is OFF then I presume that one cannot access the device through the WAN. Yet, that seems to not be the case. I wonder if the public addresses on this device affect this?

It should not allow, but if it is, you could set up an ACL to only allow Access to the admin addresses from the local net. This is off the top of my head, and I have not tested in the lab.

Add allow rules for the locations and addresses you want to admin the router

• Action: Allow

• Service: http (s)

• Source Interface: Lan

• Source: any (or range of admin addresses, or single address)

• Destination: LAN ip of the router

• Action: Allow

• Service: http (s)

• Source Interface: Lan

• Source: any (or range of admin addresses, or single address)

• Destination: WAN ip of the router

Then add another rule to deny any

• Action: Deny

• Service: http (s)

• Source Interface: wan

• Source: any

• Destination: LAN ip of the router

• Action: Deny

• Service: http (s)

• Source Interface: wan

• Source: any

• Destination: WAN ip of the router

I would recommend **NOT CHANGING THE ADMIN INTERFACE REMOTELY.**

Easier to drive onsite, and schedule it, than to drive after the administration is down, and it's not working.

slightly less risky, admin remotely through logmein, RDP, etc, from a local pc.

Just don't chop off the administration of the router, by putting an ACL on the port you are accessing it through.

http://www.cisco.com/en/US/docs/routers/csbr/rv0xx/administration/guide/rv0xx_AG_78-19576.pdf

pg 103

says:

There are four additional default rules that will be always active and cannot be

overridden by any custom rules:

• HTTP service from the LAN to the router is always allowed.

• DHCP service from the LAN is always allowed.

• DNS service from the LAN is always allowed.

• Ping service from the LAN to the router is always allowed.

Well, I guess we might forget about the Port number and just ponder the following - if anybody knows for sure: Sort of a truth table:

Remote OFF

http...........WAN access: NO LAN access: YES

https..........WAN access: NO LAN access: YES

Remote ON

http...........WAN access: YES LAN access: YES

https..........WAN access: YES LAN access: YES

This is what it would seem to me to be but it doesn't seem to work that way.

Or, maybe I'm just missing something important here?

What behavior are you seeing? Can you get to the WAN or Lan ip address remotely?