Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2050
Views
0
Helpful
1
Replies

RV042 One to One NAT Failing

libtech123
Level 1
Level 1

‎12-13-2009 08:33 AM

Just purchased a RV042 for our office. We have an IP block of addresses, and 3 webservers. Configured the primary interface with 1st usable IP in the block, then set up one-to-one NAT for the next 3 public IP's directed to 3 private LAN IP's of servers using the range option. Then, seeing that the firewall allows all traffic to the NAT'd LAN IP's by default, I set ACL's 1st to allow http traffic from any to any, as well as a blanket deny for all other services. Worked for about 15 minutes, then couldn't hit servers from external source. I also noticed that even though I had "disabled" remote GUI, it was still possible to bring up login prompt. Figured that was a result of allowing http any in the ACL, so edited that ACL to allow http from any to only the 3 private IP's / webservers using internal LAN IP's. Again, worked for about 15 minutes and then stopped. Disabled "Block WAN Requests" and built an ACL to allow ping through, restarted router, began ping -t against one server. Worked again for about 15 minutes and died. Stock firmware matches latest firmware from Cisco site (1.3.12.19-tm), although I havn't tried reflashing. Anyone have any thoughts?  Is One-to-One NAT broken on these units?

Labels:
0 Helpful
1 Reply 1

Alejandro Gallego
Cisco Employee
Cisco Employee

‎12-13-2009 10:51 AM

When applying One-to-One NAT it is best not apply any ACLs for specific ports. When the ACL or port forward rules are applied to a NAT'ed address we tend see the behavior you have.

What I would do is this; since you are running web is place the web servers in the DMZ and apply your public IPs to each server's Private IP, or if needed just add the range to the DMZ. That would depend on what you need to have available on the web.

Once they are in the DMZ then you can go ahead and create ACLs to only allow certain services available on the web; like port 80. Since this is a brand new deployment I would go ahead and default the router, apply FW again and start fresh. Sometimes code likes to hang out and cause grief. Let us know if you still run into issues.

0 Helpful
Customers Also Viewed These Support Documents