RVS4000 IP Based ACL and NAT

Unanswered Question
Aug 9th, 2009
User Badges:

Hi,


I'm having an issue with a Linksys RVS4000 which doesn't appear to be behaving as I think it should.


I need to forward a port (Single Port Forwarding) through to an internal NAT host. However, I only want that host/port to be accessible from one host on the internet, for security reasons.


I have created the port forwarding entry and this works fine. I then created two rules in IP Based ACL - one to block all access to that port from the WAN interface and one to allow access from a single host.


However, it appears that when a port forwarding entry is added, it will completely bypass the ACL and allow all traffic for that port/host by default.


Is this the correct behaviour?


Firmware version is v1.2.11


Regards,


Adam

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Te-Kai Liu Mon, 08/10/2009 - 06:33
User Badges:
  • Gold, 750 points or more

In your scenario, please ensure the Allow rule has Priority 1 and the Deny rule has Priority 2, so the Allow rule gets the higher priority when RVS4000 inspects the incoming packets.

adam09876 Mon, 08/10/2009 - 13:11
User Badges:

Hi,


Thank you for replying. However I have already tried as you have suggested and it is still not working.


My Single Port Forwarding looks like this:


Application: SMTP External Port: 25 Internal Port: 25 Protocol: TCP IP Address: 192.168.xxx.xxx Enabled: Yes


My rules in IP Based ACL look like this (columns from left to right):


1 YES Allow SMTP WAN 203.xxx.xxx.xxx 192.168.xxx.xxx Any Time Every Day  
2 YES Deny SMTP WAN ANY ANY Any Time Every Day 

My goal is to only allow 203.xxx.xxx.xxx to have access to port 25 on 192.168.xxx.xxx. However, even with the rules above enabled, all external hosts have access to port 25 on 192.168.xxx.xxx.

daviddun Mon, 08/10/2009 - 13:16
User Badges:
  • Bronze, 100 points or more

Good Afternoon,


The RVS4000 router allows Port forwarding to take precedence over ACL's.


The router by design will forward the traffic thru it before it looks at any ACL's


I hope this gives you the answer you are looking for..

adam09876 Mon, 08/10/2009 - 13:28
User Badges:

Hi,


Thank you - that answers my question.


I will be returning the router to point of purchase as with this limitation it doesn't meet my requirements.


Regards,


Adam

Te-Kai Liu Mon, 08/10/2009 - 13:34
User Badges:
  • Gold, 750 points or more

Please consider making a call to Cisco Tech Support as I do not believe your scenario cannot be supported by RVS4000.

lukaskozak Tue, 02/15/2011 - 01:31
User Badges:

I have the same problem with latest firmware V1.3.2.0. I also do not believe this conjunction IP ACL with port forwarding does not work.

Please, tell me the final resolution.


Thank You

csmith1510 Tue, 07/10/2012 - 09:13
User Badges:

I just upgraded to 1.3.3.5 and this is still an issue. Why would you bypass the ACL's because of port forwarding? that is the stupidest thing I ever heard of. This is why I ALWAYS recommend Sonicwall and Fortigate. Coming from Cisco, a LEADER in networking and security I expected better!

Te-Kai Liu Tue, 07/10/2012 - 09:22
User Badges:
  • Gold, 750 points or more

The RVS4000 router allows Port forwarding to take precedence over ACL's.


The router by design will forward the traffic thru it before it looks at any ACL's


I hope this gives you the answer you are looking for..


The above is an incorrect statement. ACL rules WILL be applied on top of the forwarding rules.

If the router does not behave correctly, please consider contacting SBSC to get the support.

csmith1510 Tue, 07/10/2012 - 09:24
User Badges:

Great! So please explain why I have ACL's to deny the whole APNIC and I still see it in my log files as being forwarded on?

Te-Kai Liu Tue, 07/10/2012 - 09:27
User Badges:
  • Gold, 750 points or more

Could you post youe ACL config page and port forwarding page?

csmith1510 Tue, 07/10/2012 - 09:40
User Badges:

Unless I am reading this incorrectly, here is the log clearly showing ip's in the deny ranges being forwarded.


Actions

This Discussion