Cisco RV320 - Block ALL Outgoing, can't connect to internal service

lia123 · ‎10-22-2018

Hello. I have a SSH server that accepts connections on a custom port. Port forwarding has been setup so that any connection to the static IP address will be forwarded to the internal IP address of the server. Recently I have blocked all outgoing connections with the following exceptions: HTTP, HTTPS, Teamviewer and the SSH Server port. Now I cannot connect to the SSH server using the external IP address. It only works if I use the internal one. I have used the rule BLOCK ALL - LAN ANY-to-ANY and an ALLOW rule for each exeption. If I disable the BLOCK ALL rule it will work fine.

What could be the problem?

Seb Rupik · ‎10-23-2018

Hi there,

From your description alone, it sounds like you have put the block ANY-ANY above your permit statements. Try re-ordering so that the permit statements for those specific services are at the top of the ACL.

cheers,

Seb.

Georg Pauwen · ‎10-23-2018

Hello,

can you post a screenshot of your access rules (similar to those displayed in the attached document) ?

https://sbkb.cisco.com/CiscoSB/GetArticle.aspx?docid=8c7797be9bac465aa93a79ca2545d493_Access_Rules_Configuration_on_RV320_Router.xml&pid=2&converted=0

lia123 · ‎10-23-2018

Here is a screenshot of the firewall permits.

lia123 · ‎10-23-2018

Here is a screenshot of the firewall permits.

lia123 · ‎10-23-2018

Anyone?

Georg Pauwen · ‎10-23-2018

Hello,

I think you need a rule that goes to the other direction, from source interface WAN(1) to source and destination any/any...

lia123 · ‎10-23-2018

I don't understand. I attached some photos with the options I have for the rules.

Georg Pauwen · ‎10-23-2018

What I mean is the same rules but specifying the WAN1 interface as the source, e.g.:

Action: Allow

Source: HTTP(80)

Source Interface: WAN1

Source: Any

Destination: Any

lia123 · ‎10-24-2018

The rule is already set up. Let's say the SSH server is running on IP 192.168.1.122 on port 1234. These are the firewall rules in the order of priority.
1. ALLOW - SSH [1234] - LAN - ANY <> ANY
2. DENY - ALL TRAFFIC - LAN - ANY <> ANY
3. ALLOW - SSH [1234] - WAN1 - ANY <> ANY
4. DENY - ALL TRAFFIC - WAN1 - ANY <> ANY

If I try to connect from an outside network to [external ip address]:1234 it works. It also works from the inside network for 192.168.1.122:1234. But when I try to connect from LAN to [external ip address]:1234 it fails. Disabling rule no. 2 allows me to successfully connect to [external ip address]:1234 from LAN. What could be the problem??

Georg Pauwen · ‎10-24-2018

Hello,

Swap rules 2 and 3...

lia123 · ‎10-24-2018

Just did. No result.

lia123 · ‎10-24-2018

Could this be a firmware bug? If so who should I notify?

Georg Pauwen · ‎10-25-2018

Hello,

actually, you might be right, this could be a bug. I came across the one below (although only the RV13x is listed, it might as well apply to the 32x). Try a lower firware, I would start with the 1.3.2.02 release...

RV130x: Block Access Rule blocks traffic that should be Allowed
CSCuz56638
Description
Symptom:
- If an Allow ACL has been configured to allow traffic from a specific host/network and then a Block ACL is configured, the Block ACL will block traffic that is supposed to be Allowed
- This is seen even when Allow ACL is ordered first

Conditions:
- Allow ACL is configured
- Block ACL is configured
- Seen in 1.0.3.14

Workaround:
- Disable the Block ACL
- Downgrade to 1.0.2.7