cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Get the latest new and information the November issue of the Cisco Small Business Monthly Newsletter

488
Views
0
Helpful
3
Replies
Highlighted
Beginner

SRP521W Advanced Firewall Bug?

Using an SRP251W-U firmware 1.2.5

I have two ports forwarded, one is a straight forward for port 22 to the local LAN server.  The other is a port forward for external port 81 to internal port 80 on the same LAN server.

Using Network Setup -> Firewall -> IPV4 -> Advanced Firewall Settings

I wish to only allow a certain source ip access to the two port forwardings.  I have the following rules:

Priority 1 - Source: x,x,x,x - Dest 0.0.0.0 - Proto ANY - Source Port ANY - Dest Port 81 - PERMIT

Priority 2 - Source: x.x.x.x - Dest 0.0.0.0 - Proto ANY - Source Port ANY - Dest Port 22 - PERMIT

Priority 3 - Source: 0.0.0.0 - Dest 0.0.0.0 - Proto ANY - Source Port ANY - Dest Port 22 - DENY

Priority 4 - Source: 0.0.0.0 - Dest 0.0.0.0 - Proto ANY - Source Port ANY - Dest Port 81 - DENY

The above rules work fine to block port 22.  Only the IP of x.x.x.x can reach port 22 - perfect.

The issue is, the rule for port 81 is not working. Every IP can reach port 81.

Is there a bug in the advanced firewall rules or NAT rules that makes it so if you translate an external port that is different from an internal port that the advanced firewall doesn't work?

I need the ability to NAT port forward external port 81 to internal port 80, AND only allow certain source IPs to be able to access external port 81.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

SRP521W Advanced Firewall Bug?

Hi Dan,

This can be a little confusing, but the thing you have to remember with advanced firewall rules is that they are applied after the NAT translation.

If you change your first rule to reflect the internal server address for destination and use port 80 as the destination port, you should find that it works.

The port 22 rule just happened to work as you are not converting that one.

Although this might seems a little backwards, it actually offers more flexibility as it allows you to create different rules for internal hosts that sit behind a common public IP address.

HTH,

Andy

View solution in original post

3 REPLIES 3
Cisco Employee

SRP521W Advanced Firewall Bug?

Hi Dan,

This can be a little confusing, but the thing you have to remember with advanced firewall rules is that they are applied after the NAT translation.

If you change your first rule to reflect the internal server address for destination and use port 80 as the destination port, you should find that it works.

The port 22 rule just happened to work as you are not converting that one.

Although this might seems a little backwards, it actually offers more flexibility as it allows you to create different rules for internal hosts that sit behind a common public IP address.

HTH,

Andy

View solution in original post

Beginner

SRP521W Advanced Firewall Bug?

The same symptoms seem to exist when I change the first rule as you suggested.

Here's just the rules I have now:

Priority 1 - Source: x,x,x,x - Dest 192.168.0.253/255.255.255.0 - Proto ANY - Source Port ANY - Dest Port 80 - PERMIT

Priority 2 - Source: 0.0.0.0 - Dest 0.0.0.0 - Proto ANY - Source Port ANY - Dest Port 81 - DENY

Maybe I misunderstood your suggestion and did something wrong?

Beginner

SRP521W Advanced Firewall Bug?

Got it working, I had to change the other rule as well.

Thanks a lot Andrew!