Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1785
Views
0
Helpful
3
Replies

RV220W: Internet Destination field of IPv4 firewall rule

Go to solution
gctwnl001
Level 1
Level 1

‎04-09-2011 05:59 AM

The manual states:

This gateway supports multi-NAT, and the Internet Destination IP address does not necessarily have to be the WAN address. On a single WAN interface, multiple public IP addresses are supported. If your ISP assigns you more than one public IP address, one of these can be used as your primary IP address on the WAN port, and the others can be assigned to servers on the LAN or DMZ. In this way, the LAN/DMZ server can be accessed from the internet by its aliased public IP address.

My IPS provides me with 5 IP addresses (say x.y.z.1-5) I can use. My WAN interface has address x.y.x.1

So, I thoughtInternet Destination meant that I can make rules like:

SMTP allow and send to internal address 192.168.1.a and internet destination is x.y.z.2

So, I thought I could do multiple-NAT-forwarding as in

x.y.z.2:25 -> 192.168.1.a:25

x.y.z.3:80 -> 192.168.1.b:80

But this seems not to work at all.

Have I misunderstood things here? Can I only do port forwarding from my WAN IP. And if I want to use multiple servers on the inside I must either expose them fully to the internet or they must all be getting their traffic through my WAN IP?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Te-Kai Liu
Level 7
Level 7
In response to gctwnl001

‎04-09-2011 02:25 PM

If implemented correctly, traffic going

through 1-to-1 NAT should be firewalled similar to

traffic going through port forwarding from the router's WAN IP. Computers exposed to the internet via Port Forwarding and 1-to-1 NAT should be protected by the stateful packet inspection mechanism of the firewall.

To use 1-to-1 NAT, you would need multiple public addresses from your ISP.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
gctwnl001
Level 1
Level 1

‎04-09-2011 06:17 AM

I noticed that One-to-One NAT is able to link the other WAN IPs to internal servers. I also noticed that this seems to bypass the firewall (if I remove the SMTP allow rule from the IPv4 rules, it still is passed through via One-to-One NAT).

So, I am wondering what security risks I run if I remove these forwarders from the IPv4 rules in the firewall and add them to One-to-One NAT. Does the firewall work only on the WAN IP address? So, if I use One-to-One NAT, is my protection on those public IPs/internal services reduced to effectively only NAT? What about anti-flood attacks and all the other niceties of a proper firewall?

0 Helpful

Go to solution
Te-Kai Liu
Level 7
Level 7
In response to gctwnl001

‎04-09-2011 02:25 PM

If implemented correctly, traffic going

through 1-to-1 NAT should be firewalled similar to

traffic going through port forwarding from the router's WAN IP. Computers exposed to the internet via Port Forwarding and 1-to-1 NAT should be protected by the stateful packet inspection mechanism of the firewall.

To use 1-to-1 NAT, you would need multiple public addresses from your ISP.

0 Helpful

Go to solution
gctwnl001
Level 1
Level 1
In response to Te-Kai Liu

‎04-10-2011 01:10 PM

Thank you. I've noticed a very nasty other problem, though which nullifies completely DNS Blacklist checking (DNSBL). The RV220W changes the originating IP address of NAT-ted packets via (at least) One-to-One to the IP address of the RV220W,  thus completely nullifying DNSBL checks on spam. Very nasty and something my old Linksys WAG54G2 was doing right. I'm linking here to the other discussion set up for this.

https://supportforums.cisco.com/thread/2078130?tstart=0

0 Helpful
Customers Also Viewed These Support Documents