Setup DMZ with RV042G & single IP

dave.crabbe · ‎05-12-2013

I'm trying to set up a single web server in a DMZ using the RV042G and the docs seem woefully inadequate to explain how this is accomplished.

I've attach a picture of my setup..

I'm assigned a single Public IP.. in the example I've used 172.16.5.22 and so I've set the WAN interface for static IP.

The DMZ port is not obvious how to set up.. So I've chosen to define a private subnet and throw the web server in there. As I activate the DMZ, I specify a "subnet" and its address as 10.10.10.1, which I'm assuming goes to the DMZ/WAN port. I assign my webserver the address 10.10.10.3.

I leave the Access rules in their default condition.

I am a little unsure as to how to setup the static IP info for the web server.

Gateway: 10.10.10.1 ?

DNS: 10.10.10.1? or 172.16.5.1?

Problem #1

=========

My first problem is that the webserver cannot access the Internet. I get a timeout when I open the browser. I've tried every address there as the gateway and DNS..

Problem #2

========

If a person on the WAN side is attempting to connect to 172.16.5.22:80, how does the RV042G know to send it to the 10.10.10.3 device? It doesn't know what address the webserver is assigned; I just gave it a 10.10.10.1 address as the subnet address.

I think I'm missing something, conceptually here.

Can, in fact, you use the RV042G in this fashion with only a single public IP address? There is almost no information on how the router actually routes traffic when you choose either 'subnet' or 'range' (where the DMZ is in the same subnet as the WAN)

Any help appreciated.

Dave Crabbe

Nova Scotia Community College

Sivaprasam Subramani · ‎05-22-2013

Hello Dave,

I will recommend you to use DMZ host and One-to-One NAT feature available. I tested from my LAB with above settings it works without any issue.

Please feel free to contact me if you have any queries.

Thanks and regards,

Siva

dave.crabbe · ‎05-22-2013

Hi Siva;

Thanks so much for taking the time to reply..

From my diagram, on the forum, I only have a single public IP .. let's say 172.16.5.22 .. This connects to my main WAN port and so that port would have to be addressed with 172.16.5.22. So I'd assign that manually.

From what I understand about your suggestion, I would not connect anything to the physical DMZ port (the other WAN/DMZ port). Let me know if that is an incorrect assumption.

All my LAN computers, (attached to say … 192.168.2.x) would run from the LAN ports. Now, if I want one web server in the DMZ, then I understand that I'd assign a LAN address to that web computer .... say: 192.168.2.10. So my web server is in my LAN network and attached to the same switch as all my LAN computers.

Now, I don't think I'd enable the DMZ on the network setup page, because I'm not using that port..

But I'd specify a DMZ host address as 192.168.2.10 (From the SETUP > DMZ Host page)

Now, I can set up the one-to-one NAT, specifying the Private Range as: 192.168.2.10-10, but the problem is in the Public Range. It says to not include the routers WAN IP address in this range.. I think I'd use 142.10.10.10.. but I'm not allowed.. from what I read in the manual, because this has to be assigned my only Public IP.

My other concern is that this web server needs to be separated from the rest of the LAN by a firewall. If my assumptions are correct, this could not happen because the web server is connected directly to my switch and to the rest of the LAN computers. I could see it, if I were using the DMZ physical port.. My application requires that the LAN computers be protected from the Web server by a firewall. That's the whole purpose of the DMZ setup.

The manual is very unclear on how the DMZ host feature works.. or how the DMZ physical port works.. I was really, really surprised when I set up the network as how I had in the diagram and the router would not route traffic from the web server to the Internet and back. I was hoping that this appliance would allow a small business to put one server in a DMZ using only one public IP address. Seems like an obvious setup, but I have found no recommended setup after scouring the Internet.

Any clarification appreciated..

Thanks again for writing..

Dave Crabbe, Faculty

Nova Scotia Community College

dave.crabbe · ‎05-22-2013

Hi Silva;

Just a bit more for this ..

I don't think your suggestion offers real DMZ firewall protection, since the DMZ host sits on the internal LAN.

If you look at my JPG diagram from the original post, I would expect this is how you would set up a single DMZ computer with only one public IP address. What I don't know, is why, when I set this up, can the DMZ computer 10.10.10.3, NOT browse the Internet. Just with the default access rules, I would expect the router to naturally route packets between the 10.10.10.1 gateway and the WAN.

I think the "DMZ host" function is only when you want to expose a LAN computer to the internet, but it doesn't have firewall protection between this host and the rest of the LAN, so I don't really know why it is called "DMZ host". But I have so little info I might be missing a lot.

If I had 2 public IP addresses, I can get this working.. but that is a lot more expense from my ISP. This should be doable with a single public IP.. at least I read that other such appliances can do this.

Dave

Sivaprasam Subramani · ‎05-23-2013

Hi Dave,

Kindly refer page no. 32 to setup DMZ server.

admin guide :

http://www.cisco.com/en/US/docs/routers/csbr/rv0xx/administration/guide/rv0xx_AG_78-19576.pdf

if you still find an issue please contact our chat support @

https://supportforums.cisco.com/community/netpro/small-business/sbcountrysupport

Thanks and regards,

Siva

dave.crabbe · ‎05-24-2013

From talking with Cisco tech support, the RV042G (likely the RV042x and RV082x) cannot do a true DMZ with a single public IP. He told me the DMZ port could not be activated with only one public IP. What is not apparent is why there is a "subnet" option in the DMZ port configuration. The manual is extremely poor in explaining how this DMZ port truly works. And this problem is not apparent from the sales literature. I am surprised at this, because in this part of the world, moving from a single public IP to the next tier service with 5 public IPs costs has a significant price increase.

I am unhappy with my purchase. It will mean that I must purchase yet another appliance if I wish to implement a DMZ with a single public IP.

Dave

dave.crabbe · ‎05-25-2013

I've concluded my work with the RV042G

From working with Cisco Tech support, it appears that with a single public IP, you can use port forwarding to a LAN machine, but you cannot create a DMZ and place a host there. A true DMZ requires a firewall between the DMZ and the local LAN.

Using the "DMZ host" feature is very misleading ... for there can be no firewall between this host machine and the LAN simply because all machines are in the LAN.

I think there are products from other vendors that might provide a proper DMZ with a single public IP. ZyWall USG50/100 is my next look.

I will return the Cisco RV042G product.

I'll add this reply so that others, who are looking to create a DMZ with only one public IP, will have this information. We could purchase a second public IP, but at an extra $50/month, this is much too expensive for a small business that only needs a single public IP.

Dave Crabbe