cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5091
Views
0
Helpful
8
Replies

RV082 v4.0.0.07 One-to-One NAT and Access Rules problem

Kevin Morse
Level 1
Level 1

Hi there,

I just purchased two RV082 to run a 20 computer and 4 web server office. I'm using One-to-one NAT to map public IPs to the different servers and our surveillance system and it appears to be working fine. For each One-to-One NATed address I have created the following Access rules:

Allow     HTTP     WAN1     Any     [public address]

Allow     SSH     WAN1     Any     [public address]

Deny     All     WAN1     Any     [public address]

The allow rules are of higher priority so my experience with other firewalls would suggest that they should be applied first blocking access to all ports and then HTTP and SSH ports would be opened up. What appears to be happening is very disconcerting, with any Allow rules applied the Deny rules are removed entirely opening up all ports. If I move the Deny rule priority up it blocks all ports as expected.

My question is how do I prevent access to all ports except the HTTP and SSH ports with the router in One-to-one NAT mode.

1 Accepted Solution

Accepted Solutions

Te-Kai Liu
Level 7
Level 7

When an Access Rule is defined on top of an 1-to-1 NAT rule, you want to change the public ip address to the private ip address that the public ip is mapped to.

Allow     HTTP     WAN1     Any     [private address]

Allow     SSH       WAN1     Any     [private address]

Deny     All           WAN1     Any     [private address]

View solution in original post

8 Replies 8

henrikboes
Level 1
Level 1

I don't have a solution but want to add my voice to this thread. I'm running into the same thing on an RV042. The one-to-one NAT seems to completely ignore any and all firewall rules. (In my case, I only want VNC port 5900 open.) Any insight would be appreciated.

Same misbehavior here - on the latest firmware my RV042 and 042G models completely and entirely ignore all firewall access rules, for any/all one-to-one NAT enabled WAN-to-LAN rules

Te-Kai Liu
Level 7
Level 7

When an Access Rule is defined on top of an 1-to-1 NAT rule, you want to change the public ip address to the private ip address that the public ip is mapped to.

Allow     HTTP     WAN1     Any     [private address]

Allow     SSH       WAN1     Any     [private address]

Deny     All           WAN1     Any     [private address]

Brian Bergin
Level 4
Level 4

That's an old version of the firmware.  You should try the current build, 4.0.2.08-tm, and see if the problem continues.  Cisco is unlikely to fix anything in 4.0.0.7 if it doesn't still exist in 4.0.2.08-tm.

Thanks for all of your suggestions guys,

Because the router is currently hosting a website that can't have any downtime (hence the Dual WAN) I haven't had a chance to make those changes but I'm going to try and do so late at night this weekend.

Kevin

PS I didn't realize Cisco just released a new build of the router firmware 3 days ago. Hopefully that solves it.

Just changed the Access Rules to use the Private IP addresses as suggested. Totally fixed the problem!

I'm still going to try and do the Firmware upgrade though.

Jeff Bolden
Level 1
Level 1

I've just realized today I have the same issue here. I'm currently running a Rev2 on the latest firmware (2.0.2.01-tm) and have One-to-One and rules configured for my exchange 2010 box. I ran a portscan against the outside today as I was wrapping up the project and realized I have a bunch of ports wide open including 445 and 139, which is disconcerting to say the least.

I had originally configured the allow rules to point to the external IP's, but after seeing the post by Tekliu I changed them all to point to the internal IP's. I restarted the router just to be sure, but it doesn't seem to be making a difference, the external port scans are still showing open ports.

If I create specific deny rules it seems to block as expected, but the default deny rule is not working. Any ideas, short of burning this box and getting something that actually does what it's supposed to? =)

OK, I just went in and created two specific deny rules for the two servers I have exposed with external IP's and it seems to work:

Allow     SMTP     WAN1     Any     (Internal IP #1)

Allow     HTTP      WAN1     Any     (Internal IP #1)

etc.... Then after the allows:    

Deny     ALL       WAN1     Any     (Internal IP #1)

Deny     ALL       WAN1     Any     (Internal IP #2)

Then the default deny rules are last.

Is this a known issue with these routers? I have several clients with these RV082's and most are pretty simple networks, but this one had a little more complicated setup. But this is pretty standard stuff, I can't believe there is this glaring an issue with a simple default deny rule. Am I missing something?

Jeff, Thanks for the posting. This has been the standard way RV0xx access rules are used, after a 1-to-1 NAT rule is created. You start with denying all from WAN. Then add individual allow rules to let the specific traffic into the servers in the LAN.