cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
836
Views
0
Helpful
3
Replies

RV042 Router, Unexpected Firewall Behavior

jcprodres
Level 1
Level 1

Hi, this is regarding my RV042. Its firmware version is v4.1.1.01-sp (Dec 6 2011 20:03:18), unchanged from how I received it. I purchased less than a month ago. I have a problem wherein the firewall behavior is not what I expect it to be, where I expect only allowed ports/services to be open to a given private IP from the outside but am finding that all are open to that private IP!

Let me describe the current configuration. I am going to blank out all digits of the public IP addresses when discussing them except for the final digits for security reasons.


Router's WAN1 is set up as static, X.X.X.189. This is part of my public IP block. WAN2 is disabled. One-to-One NAT is enabled. Three instances of it are set up. One, for example is 192.0.2.89 (a private IP) mapped to X.X.X.180, a public IP, part of our public block. Forwarding is not enabled. There is no DMZ Host. That is set to 192.0.2.0.


Firewall and SPI are Enabled. Access Rules for the firewall are set up in addition to the default rules which are present to Deny all traffic with WAN1 and WAN2 as the source from any source to any destination. This to me means that unless I set up Allow actions, there should be no access from the outside, WAN1. As an example of one of my Allow rules, I have this:


Action: Allow

Service: HTTP

Log: Not log

Source interface: WAN1

Source IP: ANY

Destination IP: Single, 192.0.2.89

Time: Always


My problem: My expectation is that based on the One-to-One NAT setting, the public IP X.X.X.180 is now associated with the private IP 192.0.2.89, but nothing from public to private is allowed unless allowed by the firewall, which is only set to allow HTTP / port 80 to 192.0.2.89. But the behavior is that 192.0.2.89 is, as presently configured, open to everything from the associated public IP, not just port 80, but all ports! It is as if my firewall rules have no impact whatsoever.


What is wrong here? How do I make it behave like my expectation described above?

Thanks to all.

John

3 Replies 3

Tom Watts
VIP Alumni
VIP Alumni

Hi John, here is a similar topic with a verified solution

https://supportforums.cisco.com/message/3828616

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Thank you, Tom.  I am trying this out now and will report back.

-J

This solution worked.  After adding entries to Deny all traffic originating from WAN1 or WAN2, two entries at the end of the list, and Allow all traffic originating from LAN, one entry that comes right before the two Deny entries and after all of my port and LAN IP specific Allow entries, all worked as designed.

Thank you!

-J