Showing results for 
Search instead for 
Did you mean: 

RV325 Firewall Access Rules

Level 1
Level 1

We have 5 static ip's and need to create rules that allow outside wan traffic (from specific ip's or all ip's depending on the lan device) to connect directly to devices on our lan. One static ip connects to our security dvr (allow all traffic) and another would point to our business application server and this is limited by a single ip. We have all of these currently set up with our Netgear ProSafe but I have not found where this is available in the RV325. Any help would be appreciated. Mark

7 Replies 7

Level 1
Level 1


       Hope you are doing well today.  On the RV325, the feature you are looking for is one-to-one NAT.  According to the admin guide:

"One-to-one NAT creates a relationship that maps a valid WAN IP address to LAN IP
addresses that are hidden from the WAN (Internet) by NAT. This protects the LAN
devices from discovery and attack.
For best results, reserve IP addresses for the internal resources that you want to
reach through one-to-one NAT.
You can map a single LAN IP address or a range of IP addresses to an external
range of WAN IP addresses of equal length (for example, three internal addresses
and three external addresses). The first internal address is mapped to the first
external address, the second IP internal IP address is mapped to the second
external address, and so on.."

This configuration is under Setup>One-to-One NAT

Here is the link to the admin guide:

If the device has any issues with getting this configuration to work properly, you can call our award winning SMB support team at 1-866-606-1866.

Thank you for using the support forum Mark.




Thanks for the info and the kind reply. I wanted to be sure about this part of NAT per admin guide:

Valid WAN IP address is one of our static ip's that I can map to LAN ip's?


To control who can connect through NAT to internal IP's is this done with a firewall access rule?

for example: our phone equipment vendor has a static address of, They connect to our static ip that is mapped to our LAN ip

thanks again, mark

Yes, you could restrict who accesses your internal devices by using the ACL's in the firewall configuration.  I would have to set it up in the lab, but I think that NAT translation occurs before ACL evaluation.  So your ACL may have to be configured to PERMIT remote public IP address to local LAN private IP address.  I can test it in the lab and let you know the results.  Thanks Mark.



     OK, in my lab, here is what I configured and the results.  I have a PC with a private  I have a WAN address XX.XX.XX.70 on the RV325.  I configured under one-to-one NAT, WAN xx.xx.xx.71 to  Then under Firewall>Access Control, I created a rule, with priority 1, source interface WAN1, PERMIT SOURCE remote public IP address of device I wanted to be able to download a file via tftp, 68.xx.xx.xx TO the DESTINATION private address of the PC running as a tftp server,  Then, I created a rule with priority 2, source interface WAN1, DENY  ANY SOURCE address to DESTINATION address

       I was then able to CONNECT to the xx.xx.xx.71 address from the 68.xx.xx.xx remote PC and download from the internal tftp server.  I then tried to download the same file from a remote address 97.xx.xx.xx to the xx.xx.xx.71 address, but the download failed.  I flipped back to the 68.xx.xx.xx address and was able to download again.  Flipped back to the 97.xx.xx.xx address and the download failed.  

       So in the lab, this configuration limited access to an internal tftp server that had One-to-one NAT configured along with the ACL's I have described to allow only the ALLOWED public address to connect.  Hope this helps.  If you do have further issues after you attempt this config, please call the SMB support team at 1-866-606-1866 and we will assist if the configuration is not working as described.  Thanks Mark and have a great day.



Can you think of any rules that need to be added to allow our 2nd office that connects by vpn gateway with another RV325. When this rule is enabled:

source interface WAN1, DENY  ANY SOURCE address to DESTINATION address

we can scan and see both lans, but we are not able to run our applications that connect to the 1.100 address above, as well as VNC. Rule turned off-works great, rule enabled, no-go.

With the rule enabled we were not able to connect with (2) separate ez vpn clients used by remote users. I added an Allow from Wan->ip of client rule and it worked with Deny Any Source enabled. Any suggestions please




Our RV325 is connected to a Comcast supplied Netgear CG3000 DCR Gateway Modem. This was required by Comcast so they could load the block file for our (5) static ip's. Can our RV325 be configured to use our static ip's if we switch to a passthrough modem (Arris SB6141)? The reason I want to change is the Netgear supplied by Comcast has been reported to cause voice quality issues, and we definitely have them. If the RV325 will not work for the above please suggest another Cisco that will, it would need to connect our vpn as we now have with another RV325




Sorry, missed the first question.  As long as the provider routes the public address to your router's WAN, ( I think that is what they mean by Valid WAN IP address), the router would be able to address those packets with the One-to-One configuration and forward them to the appropriate LAN IP address, as configured.  I am starting to set this up in the lab and will update.  Thanks Mark.