cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.
Get the latest news in this issue of the Cisco Small Business Monthly Newsletter

1561
Views
0
Helpful
3
Replies
Highlighted
Beginner

RV220W: Internet Destination field of IPv4 firewall rule

The manual states:

This gateway supports multi-NAT, and the Internet Destination IP address does not necessarily have to be the WAN address. On a single WAN interface, multiple public IP addresses are supported. If your ISP assigns you more than one public IP address, one of these can be used as your primary IP address on the WAN port, and the others can be assigned to servers on the LAN or DMZ. In this way, the LAN/DMZ server can be accessed from the internet by its aliased public IP address.

My IPS provides me with 5 IP addresses (say x.y.z.1-5) I can use. My WAN interface has address x.y.x.1

So, I thoughtInternet Destination meant that I can make rules like:

SMTP allow and send to internal address 192.168.1.a and internet destination is x.y.z.2

So, I thought I could do multiple-NAT-forwarding as in

x.y.z.2:25 -> 192.168.1.a:25

x.y.z.3:80 -> 192.168.1.b:80

But this seems not to work at all.

Have I misunderstood things here? Can I only do port forwarding from my WAN IP. And if I want to use multiple servers on the inside I must either expose them fully to the internet or they must all be getting their traffic through my WAN IP?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

If implemented correctly, traffic going

through 1-to-1 NAT should be firewalled similar to

traffic going through port forwarding from the router's WAN IP. Computers exposed to the internet via Port Forwarding and 1-to-1 NAT should be protected by the stateful packet inspection mechanism of the firewall.

To use 1-to-1 NAT, you would need multiple public addresses from your ISP.

View solution in original post

3 REPLIES 3
Highlighted
Beginner

I noticed that One-to-One NAT is able to link the other WAN IPs to internal servers. I also noticed that this seems to bypass the firewall (if I remove the SMTP allow rule from the IPv4 rules, it still is passed through via One-to-One NAT).

So, I am wondering what security risks I run if I remove these forwarders from the IPv4 rules in the firewall and add them to One-to-One NAT. Does the firewall work only on the WAN IP address? So, if I use One-to-One NAT, is my protection on those public IPs/internal services reduced to effectively only NAT? What about anti-flood attacks and all the other niceties of a proper firewall?

Highlighted

If implemented correctly, traffic going

through 1-to-1 NAT should be firewalled similar to

traffic going through port forwarding from the router's WAN IP. Computers exposed to the internet via Port Forwarding and 1-to-1 NAT should be protected by the stateful packet inspection mechanism of the firewall.

To use 1-to-1 NAT, you would need multiple public addresses from your ISP.

View solution in original post

Highlighted

Thank you. I've noticed a very nasty other problem, though which nullifies completely DNS Blacklist checking (DNSBL). The RV220W changes the originating IP address of NAT-ted packets via (at least) One-to-One to the IP address of the RV220W,  thus completely nullifying DNSBL checks on spam. Very nasty and something my old Linksys WAG54G2 was doing right. I'm linking here to the other discussion set up for this.

https://supportforums.cisco.com/thread/2078130?tstart=0