01-15-2013 08:38 AM
Hi, this is regarding my RV042. Its firmware version is v4.1.1.01-sp (Dec 6 2011 20:03:18), unchanged from how I received it. I purchased less than a month ago. I have a problem wherein the firewall behavior is not what I expect it to be, where I expect only allowed ports/services to be open to a given private IP from the outside but am finding that all are open to that private IP!
Let me describe the current configuration. I am going to blank out all digits of the public IP addresses when discussing them except for the final digits for security reasons.
Router's WAN1 is set up as static, X.X.X.189. This is part of my public IP block. WAN2 is disabled. One-to-One NAT is enabled. Three instances of it are set up. One, for example is 192.0.2.89 (a private IP) mapped to X.X.X.180, a public IP, part of our public block. Forwarding is not enabled. There is no DMZ Host. That is set to 192.0.2.0.
Firewall and SPI are Enabled. Access Rules for the firewall are set up in addition to the default rules which are present to Deny all traffic with WAN1 and WAN2 as the source from any source to any destination. This to me means that unless I set up Allow actions, there should be no access from the outside, WAN1. As an example of one of my Allow rules, I have this:
Action: Allow
Service: HTTP
Log: Not log
Source interface: WAN1
Source IP: ANY
Destination IP: Single, 192.0.2.89
Time: Always
My problem: My expectation is that based on the One-to-One NAT setting, the public IP X.X.X.180 is now associated with the private IP 192.0.2.89, but nothing from public to private is allowed unless allowed by the firewall, which is only set to allow HTTP / port 80 to 192.0.2.89. But the behavior is that 192.0.2.89 is, as presently configured, open to everything from the associated public IP, not just port 80, but all ports! It is as if my firewall rules have no impact whatsoever.
What is wrong here? How do I make it behave like my expectation described above?
Thanks to all.
John
01-15-2013 10:23 AM
Hi John, here is a similar topic with a verified solution
https://supportforums.cisco.com/message/3828616
-Tom
Please mark answered for helpful posts
01-15-2013 11:08 AM
Thank you, Tom. I am trying this out now and will report back.
-J
01-15-2013 11:44 AM
This solution worked. After adding entries to Deny all traffic originating from WAN1 or WAN2, two entries at the end of the list, and Allow all traffic originating from LAN, one entry that comes right before the two Deny entries and after all of my port and LAN IP specific Allow entries, all worked as designed.
Thank you!
-J
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide