Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1980
Views
0
Helpful
5
Replies

Deny WAN access to specific LAN IP addresses

Elsombre1
Level 1
Level 1

‎12-15-2010 05:05 PM

I have a client w/ an RV042 and she would like to selectively prohibit WAN access for specific computers on the LAN while still allowing them to use their browsers for server http access on port 80.  The firewall deny rules don't seem to work as you might think - deny all traffic for a specific IP address and you can still browse the web at will.

Thanks

Attached files are;

saved config file from RV042 (saved as .txt not .exp)

PDF print of the firewall config page

Thanks

Labels:
Preview file
91 KB
77236-Deny Kate - Copy.txt.zip
0 Helpful
5 Replies 5

David Carr
Level 6
Level 6

‎12-16-2010 09:42 AM

Mr. Peterson,


Can you attach the rules you have created to the forum, I can look at it and see if I see anything wrong with the settings?

0 Helpful

Elsombre1
Level 1
Level 1
In response to David Carr

‎12-17-2010 05:38 PM

Posted the files David, thanks.

0 Helpful

rberber07
Level 1
Level 1

‎12-22-2010 04:14 PM

Your description and your firewall rules don't match.

Since your description is not... precise (actually I don't understand what you are trying to say, deny all WAN traffic, but allow access to one server on port 80? or deny almost all WAN traffic except port 80 traffic?) its hard to say how to fix things, several problems are evident: the POP3 and SMTP rules are in the wrong order, I assume you wanted to allow all mail traffic, then put them first, i.e. the way they are now, if one of the deny rules hit then the other rules won't even be evaluated.

0 Helpful

Elsombre1
Level 1
Level 1
In response to rberber07

‎12-28-2010 03:39 PM

Renee,

Briefly - I have a client who would like to deny Internet access to specific IP addresses in her office but allow them to retain port 80 access for internal server applications.  I've followed Cisco tech support suggestions but they have not worked.

Thanks for any help you can provide.

Cheers,

Michael

0 Helpful

rberber07
Level 1
Level 1
In response to Elsombre1

‎12-28-2010 04:19 PM

That's easy, just put an "allow rule" on top that allows traffic from Any(Any) to Singe IP (the internal Web server) for service HTTP.

Then add "deny rules" for each IP or range of IPs that shouldn't have Web access; source LAN, single or range IP, destination Any, service HTTP.  Notice that this rule doesn't stop HTTPS and many other services that could be abused: messenger, torrent, even http using a proxy on a different port; but it stops any direct connection to port 80 not allowed by the first rule.

To fix the "user workarounds" (like using a proxy to by-pass the deny on port 80) you can add rules blocking traffic from WAN1 (and similar for WAN2) to the specific LAN IP; source WAN1(Any), destination LAN (IP or range), service All Traffic.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents