Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1666
Views
0
Helpful
9
Replies

RV220W open up port 80 and 443 for 2 internal servers from the internet

Dan Aspinall
Level 1
Level 1

‎02-01-2015 08:07 PM

Hi all,

I'm looking for a definitive answer here as I only seem to be able to allow anything or block anything in this scenario.

I have 2 external ip addresses assigned by my ISP for two webservers hosted in my office.  These are on the same internal network as the RV220w.  All I need to do is allow access to http and https on these two servers and block all other inbound traffic.

So 202.xxx.xxx.2 and 202.xxx.xxx.3 external pointing at 192.168.xxx.2 and 192.168.xxx.3 internal for port 80 and 443.

The public and private IP of our router being 202.xxx.xxx.1 and 192.168.xxx.1.

I seem to be only to get all or nothing open by doing the following:

One-to-One NAT

Private Range Begin

Public Range Begin

Range Length

Service

192.xxx.xxx.2

202.xxx.xxx.3

1

Any


...and then adding disallow rules to the Firewall Access rules - such as:

ActionServiceStatusConnection TypeSource IP

Always Block

SSH:TCP

Enabled

Inbound (WAN (Internet) > LAN (Local Network))

Any

Always Block

SSH:UDP

Enabled

Inbound (WAN (Internet) > LAN (Local Network))

Any

 

 I don't seem to be add just http and https as One-to-one NAT services,

or block everything and just allow port 80 and 443.

Seems I'm missing something really obvious here but would be great to know definitively.

Thanks all!

Labels:
0 Helpful
9 Replies 9

cchamorr
Level 5
Level 5

‎02-02-2015 09:57 PM

Hello,

I saw this post after hours so at the moment I don't have access to the device to test the configuration, but I wanted to give you and idea about what needs to be done so you can try it.

1- Create the One to One NAT rules for the two servers as you showed above, using any as the service, this will open all ports to both servers.

Private Range Begin

Public Range Begin

Range Length

Service

192.xxx.xxx.2

202.xxx.xxx.3

1

Any

 

 

2- Go to the access rules and create the following policies as follows:

  a- Connection type: Inbound

  b- Action: Always Block

  c- Service: Any

  d: Source IP: Any

  e: Use other WAN (Internet) IP Address: Enabled

  f: WAN (Internet) destination IP: 202.xxx.xxx.2 and 202.xxx.xxx.3 (on two different rules)

This will block all the ports going to the different public IP addresses respectively.

 

3- Open the desired ports:

a- Connection type: Inbound

  b- Action: Always allow

  c- Service: HTTP/HTTPS (One rule per each)

  d: Source IP: Any

  e- Send to local server (DNAT IP): IP address of the local server.

  f: Use other WAN (Internet) IP Address: Enabled

  g: WAN (Internet) destination IP: The public IP address associated to the server specified above.

 

Just to be clear, for each server you should have 1 "Always Block" rule and two "Always Allow" Rule meaning that you will create 6 rules total.

It is extremely important that you create the Always Block rules first.

I hope this was helpful.

If you try this and run into any issues, let me know and I will test it on the lab, but I'm positive it should work.

0 Helpful

Dan Aspinall
Level 1
Level 1
In response to cchamorr

‎02-04-2015 08:45 PM

Hi cchamorr and thanks for your time and help.

I have tried the exact steps you provided, and can still access these machines over other ports from outside our network, eg ssh, smtp etc.

I do have another rule above these for our vpn server access.  Could this be affecting the order of the rules? 

ActionServiceStatusConnection TypeSource IP
Always AllowOpenVPNEnabledInbound (WAN(Internet) > LAN(Local Network))Any

 

This being a custom service created opening required port for OpenVPN, which runs on a different public and private IP address.

I've attached screen shots with what I've set up so far.

I'd really expect the steps you mentioned to have worked, but maybe this rule is creating some issues. 

Would be great to know what you think.

Many thanks again!

Preview file
156 KB
Preview file
23 KB
Preview file
24 KB
Preview file
150 KB
Preview file
77 KB
0 Helpful

cchamorr
Level 5
Level 5
In response to Dan Aspinall

‎02-05-2015 07:10 PM

Hello Dan,

First of all I want to apologize for no answering earlier, it has been a crazy day and didn't have the chance to lab this up until later on the afternoon.

I went ahead and configured the settings as I told you and I ran into issues, it was not working properly.

Then I remembered the right way to configure this particular device.

These are the steps:

1- Forget about One to One NAT, you don't need it, so go ahead and delete those rules

2- Go to the access rules section under the firewall and create two rules per server as follows:

  a- Connection type: Inbound

  b- Action: Always allow

  c- Service: HTTP/HTTPS (One rule per each)

  d: Source IP: Any

  e- Send to local server (DNAT IP): IP address of the local server.

  f: Use other WAN (Internet) IP Address: Enabled

  g: WAN (Internet) destination IP: The public IP address associated to the server specified above.

 

This is it. No more configuration needed, no Deny or Block rules needed.

I tested this on our lab and it works every time.

I'm really sorry it took me so long but this is one of those things that just gets lots on your head and you just have to sit down and work hard on it until you can remember it.

Please let me know how this works for you as soon as you test it.

I'm sure this will help.

0 Helpful

Dan Aspinall
Level 1
Level 1
In response to cchamorr

‎02-05-2015 09:55 PM

Hi again and thanks for the help.

I removed the VPN rule so that wouldn't get in the way of our attempts.

I have removed the one-2-one nat and created the two rules as you stated, but again I'm not getting access to the server from outside our network.

Is there any way I can send you the exact configuration via private message?

Is there any generic firewall setting that I need to activate to get these rules to be read?  It certainly looks like they should be working as you described.

I look forward to your response.

Preview file
158 KB
Preview file
159 KB
0 Helpful

cchamorr
Level 5
Level 5
In response to Dan Aspinall

‎02-05-2015 10:04 PM

Hello Dan,

I'm very disappointed this is still not working for you, I tested everything and had no issues.

I'm not at work now but I will send you an email tomorrow to get your config, I will check it and see if I can find out the problem.

By the way, I didn't mention anything about the VPN rule as I didn't think the issue was related to it.

Have a good night.

I will email you tomorrow. 

 

0 Helpful

cchamorr
Level 5
Level 5
In response to cchamorr

‎02-06-2015 08:14 PM

Hello Dan, 

I sent you an email to the address on your Cisco account asking you for some information.

Please let me know if you received it. I will be back on Monday.

Have a good weekend.

0 Helpful

Dan Aspinall
Level 1
Level 1
In response to cchamorr

‎02-08-2015 10:18 PM

Thanks cchamorr - I've sent the email with all the relevant details.

0 Helpful

cchamorr
Level 5
Level 5
In response to Dan Aspinall

‎02-19-2015 02:09 PM

Hello, 

I just wanted to touch base with you and see if you were able to get your issue resolved.

Please let us know

0 Helpful

cchamorr
Level 5
Level 5
In response to cchamorr

‎03-03-2015 02:38 PM

Hello Mr. Aspinall,

It has been some time since we stopped talking and I would like to find out if you were able to configure the two ports for access from different public IP's.

Please don't forget to mark an answer as correct or to grade it if it was helpful to you so that other members can benefit from it

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents