Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
780
Views
0
Helpful
3
Replies

SRP521W Advanced Firewall Bug?

Go to solution
Dan Muntz
Level 1
Level 1

‎06-13-2013 05:30 AM

Using an SRP251W-U firmware 1.2.5

I have two ports forwarded, one is a straight forward for port 22 to the local LAN server.  The other is a port forward for external port 81 to internal port 80 on the same LAN server.

Using Network Setup -> Firewall -> IPV4 -> Advanced Firewall Settings

I wish to only allow a certain source ip access to the two port forwardings.  I have the following rules:

Priority 1 - Source: x,x,x,x - Dest 0.0.0.0 - Proto ANY - Source Port ANY - Dest Port 81 - PERMIT

Priority 2 - Source: x.x.x.x - Dest 0.0.0.0 - Proto ANY - Source Port ANY - Dest Port 22 - PERMIT

Priority 3 - Source: 0.0.0.0 - Dest 0.0.0.0 - Proto ANY - Source Port ANY - Dest Port 22 - DENY

Priority 4 - Source: 0.0.0.0 - Dest 0.0.0.0 - Proto ANY - Source Port ANY - Dest Port 81 - DENY

The above rules work fine to block port 22.  Only the IP of x.x.x.x can reach port 22 - perfect.

The issue is, the rule for port 81 is not working. Every IP can reach port 81.

Is there a bug in the advanced firewall rules or NAT rules that makes it so if you translate an external port that is different from an internal port that the advanced firewall doesn't work?

I need the ability to NAT port forward external port 81 to internal port 80, AND only allow certain source IPs to be able to access external port 81.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andrew Hickman
Cisco Employee
Cisco Employee

‎06-13-2013 06:10 AM

Hi Dan,

This can be a little confusing, but the thing you have to remember with advanced firewall rules is that they are applied after the NAT translation.

If you change your first rule to reflect the internal server address for destination and use port 80 as the destination port, you should find that it works.

The port 22 rule just happened to work as you are not converting that one.

Although this might seems a little backwards, it actually offers more flexibility as it allows you to create different rules for internal hosts that sit behind a common public IP address.

HTH,

Andy

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Andrew Hickman
Cisco Employee
Cisco Employee

‎06-13-2013 06:10 AM

Hi Dan,

This can be a little confusing, but the thing you have to remember with advanced firewall rules is that they are applied after the NAT translation.

If you change your first rule to reflect the internal server address for destination and use port 80 as the destination port, you should find that it works.

The port 22 rule just happened to work as you are not converting that one.

Although this might seems a little backwards, it actually offers more flexibility as it allows you to create different rules for internal hosts that sit behind a common public IP address.

HTH,

Andy

0 Helpful

Go to solution
Dan Muntz
Level 1
Level 1
In response to Andrew Hickman

‎06-13-2013 07:24 AM

The same symptoms seem to exist when I change the first rule as you suggested.

Here's just the rules I have now:

Priority 1 - Source: x,x,x,x - Dest 192.168.0.253/255.255.255.0 - Proto ANY - Source Port ANY - Dest Port 80 - PERMIT

Priority 2 - Source: 0.0.0.0 - Dest 0.0.0.0 - Proto ANY - Source Port ANY - Dest Port 81 - DENY

Maybe I misunderstood your suggestion and did something wrong?

0 Helpful

Go to solution
Dan Muntz
Level 1
Level 1
In response to Dan Muntz

‎06-13-2013 08:19 AM

Got it working, I had to change the other rule as well.

Thanks a lot Andrew!

0 Helpful
Customers Also Viewed These Support Documents