cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Get the latest Cisco news in this December issue of the Cisco Small Business Monthly Newsletter

2469
Views
0
Helpful
9
Replies
Highlighted
Beginner

RV042 LAN subnet restriction and firewall bypassed for One-to-One NAT host

I have 2 questions to confirm and/or get direction on how to modify.

1) is there a way to get around the (seemingly arbitrary) class C (slash 24+) subnet restriction for the primary/main IP address for the internal LAN?

(I realize I can setup multiple internal subnets but that also seems to introduce restrictions for port ‘forwarding’ and ‘one-to-one NAT’ use because those features seem to be restricted to the primary/main IP subnet)

2) it seems like all traffic is passed to the host on the internal side of a ‘One-to-One NAT’ regardeless of the firewall rules in place, is that what is be expected?

Everyone's tags (3)
9 REPLIES 9
Contributor

RV042 LAN subnet restriction and firewall bypassed for One-to-On

1. I don't think there's a way around this on the rv series.

2.  I think I read somewhere in the documentation that with 1:1 nat in place, the firewall is disabled, so that would explain that behavior.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com
Rising star

RV042 LAN subnet restriction and firewall bypassed for One-to-On

>1) is there a way to get around the (seemingly arbitrary) class C  (slash 24+) subnet restriction for the primary/main IP address for the  internal LAN?

I'm not aware of a known workaround.

>2) it seems like all traffic is passed to the host on the internal side  of a ‘One-to-One NAT’ regardeless of the firewall rules in place, is  that what is be expected?

Additional access rules can be configured to further restrict the traffic from WAN to LAN on top of 1-to-1 NAT.

Rising star

RV042 LAN subnet restriction and firewall bypassed for One-to-On

>I realize I can setup multiple  internal subnets but that also seems to introduce restrictions for port  ‘forwarding’ and ‘one-to-one NAT’ use because those features seem to be  restricted to the primary/main IP subnet

With firmware 4.2.1.02, I was able to add a "multiple subnet", e.g. 192.168.2.1/255.255.255.0, and configure a forwarding rule to forward ftp service to an IP address in the 192.168.2.x subnet.

Beginner

RV042 LAN subnet restriction and firewall bypassed for One-to-On

Yes, you are correct.  I updated firmware (to 4.2.1.02) and port forwarding now works to addresses in my 10.1.0.0/16 subnet.  Thanks!

Beginner

RV042 LAN subnet restriction and firewall bypassed for One-to-On

Firmware 4.2.1.02 continues to restrict 1-to-1 NAT to only addresses in the main RV042 LAN (class C) subnet.

Rising star

RV042 LAN subnet restriction and firewall bypassed for One-to-On

>Firmware 4.2.1.02 continues to restrict 1-to-1 NAT to only addresses in the main RV042 LAN (class C) subnet.

The removal of this restriction may come in the future, if there is sufficient customer demand behind it.

Beginner

RV042 LAN subnet restriction and firewall bypassed for One-to-On

Apparently, there wasn't sufficient demand. I NEED this feature to work, but the latest firmware (4.2.2.08) STILL doesn't fix this problem.

1 to 1 NAT on a separate subnet (separate from the LAN subnet) only works temporarily (10 or 15 minutes), then it dies without complaint. If I do anything to the router like saving the configuration, it starts working again for 10 or 15 more minutes, then dies. Not cool.

Advocate

Re: RV042 LAN subnet restriction and firewall bypassed for One-t

Hi Cary, is it not possible to put the device on the primary subnet of the RV042 and use one to one NAT and move your other connecting host to the "original" subnet of the RV042 using multiple subnet feature?

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Beginner

Re: RV042 LAN subnet restriction and firewall bypassed for One-t

Hi Tom, thanks for your reply.

Perhaps a little more detail concerning my configuration would help. The public IPs are ficticious, of course.

RV042G

LAN: 192.168.10.0/24

Public IPs:

- 207.229.43.128/29

- 204.209.196.224/29

RV042 WAN1 Assigned to: 207.229.43.130, gateway .129

RV042 WAN2 Not used

1:1 NAT Needed: 207.229.43.131-134 translated to: 192.168.10.131-134

1:1 NAT Needed: 204.209.196.228-230 translated to: 192.168.10.228-230

The 207 and 204 public networks are routed to the RV042G from the outside, so I know traffic is getting to the RV042G.

When I set up the two 1:1: NATs shown above, only the first NAT (131-134) works consistently and with stability. The second 1:1 NAT works for about 10 or 15 minutes, and then inexplicably stops working without any errors showing up in any of the logs.

If I do anything that involves clicking a Save button on the RV042G web configuration interface, the second 1:1 NAT starts working again for another 10 or 15 minutes, then dies again. For example, if I go to the DHCP section and enable (or disable) DHCP, the second 1:1 NAT starts working normally.

If I replace all of the NATs with individual mappings (131->131, 132->132, 133->133, etc) all of the mappings that lie in the routers primary public subnet (207.229.43.128/29) work flawlessly in mapping to the LAN network. But any public IP that is outside of the primary public subnet only maps properly to the LAN for 10 or 15 minutes, then stops working.

I have tried assigning the WAN2 connection to the second public IP (204.209.196.225/29), but it does nothing to improve the situation.

Is it possible that I need to segment the local LAN into two separate subnets for this to work? That is the only thing I really haven't tried yet. Or is this another bug in the firmware?