08-09-2009 08:44 PM
Hi,
I'm having an issue with a Linksys RVS4000 which doesn't appear to be behaving as I think it should.
I need to forward a port (Single Port Forwarding) through to an internal NAT host. However, I only want that host/port to be accessible from one host on the internet, for security reasons.
I have created the port forwarding entry and this works fine. I then created two rules in IP Based ACL - one to block all access to that port from the WAN interface and one to allow access from a single host.
However, it appears that when a port forwarding entry is added, it will completely bypass the ACL and allow all traffic for that port/host by default.
Is this the correct behaviour?
Firmware version is v1.2.11
Regards,
Adam
08-10-2009 06:33 AM
In your scenario, please ensure the Allow rule has Priority 1 and the Deny rule has Priority 2, so the Allow rule gets the higher priority when RVS4000 inspects the incoming packets.
08-10-2009 01:11 PM
Hi,
Thank you for replying. However I have already tried as you have suggested and it is still not working.
My Single Port Forwarding looks like this:
Application: SMTP External Port: 25 Internal Port: 25 Protocol: TCP IP Address: 192.168.xxx.xxx Enabled: Yes
My rules in IP Based ACL look like this (columns from left to right):
1 YES Allow SMTP WAN 203.xxx.xxx.xxx 192.168.xxx.xxx Any Time Every Day
2 YES Deny SMTP WAN ANY ANY Any Time Every Day
My goal is to only allow 203.xxx.xxx.xxx to have access to port 25 on 192.168.xxx.xxx. However, even with the rules above enabled, all external hosts have access to port 25 on 192.168.xxx.xxx.
08-10-2009 01:16 PM
Good Afternoon,
The RVS4000 router allows Port forwarding to take precedence over ACL's.
The router by design will forward the traffic thru it before it looks at any ACL's
I hope this gives you the answer you are looking for..
08-10-2009 01:28 PM
Hi,
Thank you - that answers my question.
I will be returning the router to point of purchase as with this limitation it doesn't meet my requirements.
Regards,
Adam
08-10-2009 01:34 PM
Please consider making a call to Cisco Tech Support as I do not believe your scenario cannot be supported by RVS4000.
02-15-2011 01:31 AM
I have the same problem with latest firmware V1.3.2.0. I also do not believe this conjunction IP ACL with port forwarding does not work.
Please, tell me the final resolution.
Thank You
07-10-2012 09:13 AM
I just upgraded to 1.3.3.5 and this is still an issue. Why would you bypass the ACL's because of port forwarding? that is the stupidest thing I ever heard of. This is why I ALWAYS recommend Sonicwall and Fortigate. Coming from Cisco, a LEADER in networking and security I expected better!
07-10-2012 09:22 AM
The RVS4000 router allows Port forwarding to take precedence over ACL's.
The router by design will forward the traffic thru it before it looks at any ACL's
I hope this gives you the answer you are looking for..
The above is an incorrect statement. ACL rules WILL be applied on top of the forwarding rules.
If the router does not behave correctly, please consider contacting SBSC to get the support.
07-10-2012 09:24 AM
Great! So please explain why I have ACL's to deny the whole APNIC and I still see it in my log files as being forwarded on?
07-10-2012 09:27 AM
Could you post youe ACL config page and port forwarding page?
07-10-2012 09:36 AM
07-10-2012 09:40 AM
Unless I am reading this incorrectly, here is the log clearly showing ip's in the deny ranges being forwarded.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: