RVS4000 IP Based ACL and NAT

adam09876 · ‎08-09-2009

Hi,

I'm having an issue with a Linksys RVS4000 which doesn't appear to be behaving as I think it should.

I need to forward a port (Single Port Forwarding) through to an internal NAT host. However, I only want that host/port to be accessible from one host on the internet, for security reasons.

I have created the port forwarding entry and this works fine. I then created two rules in IP Based ACL - one to block all access to that port from the WAN interface and one to allow access from a single host.

However, it appears that when a port forwarding entry is added, it will completely bypass the ACL and allow all traffic for that port/host by default.

Is this the correct behaviour?

Firmware version is v1.2.11

Regards,

Adam

Te-Kai Liu · ‎08-10-2009

In your scenario, please ensure the Allow rule has Priority 1 and the Deny rule has Priority 2, so the Allow rule gets the higher priority when RVS4000 inspects the incoming packets.

adam09876 · ‎08-10-2009

Hi,

Thank you for replying. However I have already tried as you have suggested and it is still not working.

My Single Port Forwarding looks like this:

Application: SMTP External Port: 25 Internal Port: 25 Protocol: TCP IP Address: 192.168.xxx.xxx Enabled: Yes

My rules in IP Based ACL look like this (columns from left to right):

1 YES Allow SMTP WAN 203.xxx.xxx.xxx 192.168.xxx.xxx Any Time Every Day
2 YES Deny SMTP WAN ANY ANY Any Time Every Day

My goal is to only allow 203.xxx.xxx.xxx to have access to port 25 on 192.168.xxx.xxx. However, even with the rules above enabled, all external hosts have access to port 25 on 192.168.xxx.xxx.

daviddun · ‎08-10-2009

Good Afternoon,

The RVS4000 router allows Port forwarding to take precedence over ACL's.

The router by design will forward the traffic thru it before it looks at any ACL's

I hope this gives you the answer you are looking for..

adam09876 · ‎08-10-2009

Hi,

Thank you - that answers my question.

I will be returning the router to point of purchase as with this limitation it doesn't meet my requirements.

Regards,

Adam

Te-Kai Liu · ‎08-10-2009

Please consider making a call to Cisco Tech Support as I do not believe your scenario cannot be supported by RVS4000.

lukaskozak · ‎02-15-2011

I have the same problem with latest firmware V1.3.2.0. I also do not believe this conjunction IP ACL with port forwarding does not work.

Please, tell me the final resolution.

Thank You

csmith1510 · ‎07-10-2012

I just upgraded to 1.3.3.5 and this is still an issue. Why would you bypass the ACL's because of port forwarding? that is the stupidest thing I ever heard of. This is why I ALWAYS recommend Sonicwall and Fortigate. Coming from Cisco, a LEADER in networking and security I expected better!

Te-Kai Liu · ‎07-10-2012

The RVS4000 router allows Port forwarding to take precedence over ACL's.

The router by design will forward the traffic thru it before it looks at any ACL's

I hope this gives you the answer you are looking for..

The above is an incorrect statement. ACL rules WILL be applied on top of the forwarding rules.

If the router does not behave correctly, please consider contacting SBSC to get the support.

csmith1510 · ‎07-10-2012

Great! So please explain why I have ACL's to deny the whole APNIC and I still see it in my log files as being forwarded on?

Te-Kai Liu · ‎07-10-2012

Could you post youe ACL config page and port forwarding page?

csmith1510 · ‎07-10-2012

csmith1510 · ‎07-10-2012

Unless I am reading this incorrectly, here is the log clearly showing ip's in the deny ranges being forwarded.