cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
543
Views
0
Helpful
1
Replies

Cisco RV325 router - policy violation help

ravi
Level 1
Level 1

We are seeing new error logs when clients are trying to connect to our Cisco RV325 router.

2017-02-22, 06:09:30 Connection Refused - Policy violation IN=eth0 OUT=eth1 SRC=192.168.2.190 DST=72.160.172.204 DMAC=c0:8c:56:c7:7e:a0 SMAC=50:e5:49:4c:db:79 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4763 DF PROTO=TCP SPT=63930 DPT=443 WINDOW=0 RES=0x00 ACK RST URGP=0

2017-02-22, 06:12:32 Connection Refused - Policy violation IN=eth0 OUT=eth1 SRC=192.168.2.191 DST=72.160.172.193 DMAC=c0:8c:56:c7:7e:a0 SMAC=00:27:0e:04:b9:db LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=7008 DF PROTO=TCP SPT=56433 DPT=443 WINDOW=0 RES=0x00 ACK RST URGP=0


2017-02-22, 06:12:57 Connection Refused - Policy violation IN=ppp0 OUT=eth1 SRC=192.168.2.150 DST=72.130.43.15 DMAC=45:00:00:22:15:9c SMAC=40:00:7f:06:45:d4 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=20780 DF PROTO=TCP SPT=53531 DPT=443 WINDOW=260 RES=0x00 ACK FIN URGP=0


How do I allow the above connection?

What should I open port/firewall rules?

Thanks

1 Reply 1

If i'm correct, looking at the last paragraph of the log

The device with IP-address 192.168.2.150 (the source, hence "SRC=") is trying to connect to a Device with IP-Address 72.130.43.15 (the destination, hence "DST=").

The MAC-adress of the device that the traffic is destinated for is: "45:00:00:22:15:9c", (the destination MAC-adress, hence DMAC=

The MAC-adress of the device that the traffic is destined for is: "45:00:00:22:15:9c".
The MAC-address of the device that is trying to connect with the outside device is "40:00:7f:06:45:d4" (hence "SMAC=").

The Protocol that is being used to try and communicate is TCP, the source port 53531 (the port that the device that is sending the traffic with) is and the destination port is (the port that the device is sending traffic to) = port 443.

Now, i would be hesitant to allow traffic that'sbeing blocked, before being certain that it's okay e.g. non malicious.

That being said, looking at the last paragraph you would need to go to Firewall > Access Rules > ADD:
Allow https / 443 traffic (listed under "service" in the ACL menu).
Source interface would probably need to be set to "LAN"
Source IP would be set to "Range" / "192.168.2.0 - 192.168.2.255"
Destination IP would be set to: "72.130.43.15"




Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: