Solved: RV082 v4.0.0.07 One-to-One NAT and Access Rules problem

Kevin Morse · ‎05-13-2011

Hi there,

I just purchased two RV082 to run a 20 computer and 4 web server office. I'm using One-to-one NAT to map public IPs to the different servers and our surveillance system and it appears to be working fine. For each One-to-One NATed address I have created the following Access rules:

Allow HTTP WAN1 Any [public address]

Allow SSH WAN1 Any [public address]

Deny All WAN1 Any [public address]

The allow rules are of higher priority so my experience with other firewalls would suggest that they should be applied first blocking access to all ports and then HTTP and SSH ports would be opened up. What appears to be happening is very disconcerting, with any Allow rules applied the Deny rules are removed entirely opening up all ports. If I move the Deny rule priority up it blocks all ports as expected.

My question is how do I prevent access to all ports except the HTTP and SSH ports with the router in One-to-one NAT mode.

Te-Kai Liu · ‎05-20-2011

When an Access Rule is defined on top of an 1-to-1 NAT rule, you want to change the public ip address to the private ip address that the public ip is mapped to.

Allow HTTP WAN1 Any [private address]

Allow SSH WAN1 Any [private address]

Deny All WAN1 Any [private address]

View solution in original post

henrikboes · ‎05-17-2011

I don't have a solution but want to add my voice to this thread. I'm running into the same thing on an RV042. The one-to-one NAT seems to completely ignore any and all firewall rules. (In my case, I only want VNC port 5900 open.) Any insight would be appreciated.

Donald Case · ‎09-13-2015

Same misbehavior here - on the latest firmware my RV042 and 042G models completely and entirely ignore all firewall access rules, for any/all one-to-one NAT enabled WAN-to-LAN rules

Te-Kai Liu · ‎05-20-2011

When an Access Rule is defined on top of an 1-to-1 NAT rule, you want to change the public ip address to the private ip address that the public ip is mapped to.

Allow HTTP WAN1 Any [private address]

Allow SSH WAN1 Any [private address]

Deny All WAN1 Any [private address]

Brian Bergin · ‎05-20-2011

That's an old version of the firmware. You should try the current build, 4.0.2.08-tm, and see if the problem continues. Cisco is unlikely to fix anything in 4.0.0.7 if it doesn't still exist in 4.0.2.08-tm.

Kevin Morse · ‎05-20-2011

Thanks for all of your suggestions guys,

Because the router is currently hosting a website that can't have any downtime (hence the Dual WAN) I haven't had a chance to make those changes but I'm going to try and do so late at night this weekend.

Kevin

PS I didn't realize Cisco just released a new build of the router firmware 3 days ago. Hopefully that solves it.

Kevin Morse · ‎05-20-2011

Just changed the Access Rules to use the Private IP addresses as suggested. Totally fixed the problem!

I'm still going to try and do the Firmware upgrade though.

Jeff Bolden · ‎07-12-2011

I've just realized today I have the same issue here. I'm currently running a Rev2 on the latest firmware (2.0.2.01-tm) and have One-to-One and rules configured for my exchange 2010 box. I ran a portscan against the outside today as I was wrapping up the project and realized I have a bunch of ports wide open including 445 and 139, which is disconcerting to say the least.

I had originally configured the allow rules to point to the external IP's, but after seeing the post by Tekliu I changed them all to point to the internal IP's. I restarted the router just to be sure, but it doesn't seem to be making a difference, the external port scans are still showing open ports.

If I create specific deny rules it seems to block as expected, but the default deny rule is not working. Any ideas, short of burning this box and getting something that actually does what it's supposed to? =)

OK, I just went in and created two specific deny rules for the two servers I have exposed with external IP's and it seems to work:

Allow SMTP WAN1 Any (Internal IP #1)

Allow HTTP WAN1 Any (Internal IP #1)

etc.... Then after the allows:

Deny ALL WAN1 Any (Internal IP #1)

Deny ALL WAN1 Any (Internal IP #2)

Then the default deny rules are last.

Is this a known issue with these routers? I have several clients with these RV082's and most are pretty simple networks, but this one had a little more complicated setup. But this is pretty standard stuff, I can't believe there is this glaring an issue with a simple default deny rule. Am I missing something?

Te-Kai Liu · ‎07-12-2011

Jeff, Thanks for the posting. This has been the standard way RV0xx access rules are used, after a 1-to-1 NAT rule is created. You start with denying all from WAN. Then add individual allow rules to let the specific traffic into the servers in the LAN.