WRVS4400N v2 IP based ACL not working

Unanswered Question
Apr 4th, 2010

Not sure if crossposting here is a good thing, however this site also came up in my google search for the answer. It didn't yield the answer however so I thought I would make the topic here too (original cisco support thread: https://supportforums.cisco.com/message/3047838#3047838).

Dear all / cisco,

I've recently purchased a wrvs4400n v2 unit, with firmware version V2.0.0.8-ETSI installed. The router is working, however I am trying to use the IP based ACL feature without any luck. I'm trying to do the following:

Connect "server" ( to WAN with all ports to external: "home" & "backup source"

Connect "server" with the remote desktop port (3389 / custom port) to WAN (ANY)

Dissallow any traffic from WAN to LAN besides 'normal' internet traffic (http, dns)

I have tried various settings however I am unable to get the setup to work. Even the most basic setup I try fails. For example, I enable single forwarding of port 3389 external to "server" 3389. This port is opened on "server". When I then probe the port it can be accessed and used via external (which is not possible when not having that port forwarded). When I then add an IP based ACL rule, no other rules present besides the default rules) denying any traffic from WAN (priority1, deny, 3389 (or ANY), WAN, any source, any destination, any time and any day) I still am able to connect to the 3389 port and use remote desktop (aka both ways traffic works fine over port 3389)!

To check wether or not IP based ACL works to start with, I've tried to add 1 rule (priority1, deny, any, LAN/ANY, any, any, any time and day) which then makes me unable to contact any external IP/port via "server".

I've tried the settings mentioned in the last post in this thread for the setup to "backup source" however all traffic is always open to the full spectrum of the internet.


For me it seems to be like the IP based ACL feature simply isn't working like it is supposed to. Please tell me how I can setup the ACL to do what I need it to / what I am doing wrong. If the feature is simply broken that would be quite a shame! If more information is required from my end feel free to ask me to provide it (I can upload screenshots and etc. if needed).


Simon van de Berg

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Alejandro Gallego Mon, 04/05/2010 - 09:06

Welcome to Cisco community!

I may not be following you completely but I beleive I understand the main point. You need to create ACLs to lock down your network and only allow specific communication between your server and the WAN and also between the LAN and WAN. So I will try to explain the settings needed for your specified requirements.

Connect "server" ( to WAN with all ports to external: "home" & "backup source"

No ACL needed as the default will allow this type of communication. Unless you mean you need to define 1 to 1 NAT. Map a public IP to a specific machine with a private IP.

Connect "server" with the remote desktop port (3389 / custom port) to WAN (ANY)

If I am reading this as written, you do not need to create an ACL because our WAN destination is ANY! If you only want your server to communicate via RDP to only specific IPs then an ACL will need to define those public IPs.

If you mean you want to connect to your server using RDP from the WAN then, no ACL is needed because our source (WAN) is ANY. All you need to define is a port forward. For example you can connect to your server from the WAN like this: with 3700 forwarded to server on port 3389. so port forward 3700 server and translate it to 3389.

Dissallow any traffic from WAN to LAN besides 'normal' internet traffic (http, dns)

This part can be very tricky unless all you need is just HTTP(S), DNS. If that is all you need then the ACL will be defined as such:

Allow HTTP (80) source WAN dest LAN Any Any --- but you must understand what this rule is really saying. This says ALLOW any traffic with an ORIGIN on the WAN into my LAN. When you read it this way, it sounds very scary because it is.

Are we heading in the right direction or have I missed your concern all together?

YamaNoSimon Mon, 04/05/2010 - 12:34

Yes and no :). Your post has made me think about quite a few things regarding the IP based ACL and how to implement the feature. That in turn made me re-examine my rules and my goals. At this point (I wish to add another ssh server open to WAN in order to WOL other machines) my setup would have to do the following:

-Allow any traffic from IP x and y to local "server" at

-Allow any traffic from WAN ip * at port Z to local "server at on port L

-Deny any traffic from WAN ip * (not IP x and y) to local "server" at

My second effort is of course, as you say, possibly insecure as that means always leaving port Z open to any WAN ip. In that case I am relying on the security measures taken by the software listening on that port.

Although I am still unsure what I changed, it seems to be working now as I expect(ed). Although as said I am still implementing a few features (only the first and third rule are implemented). Both x and y can now connect freely to server, the server can still freely browse the internet however a portscan (GRC Shields up) reveals no open ports. See my set rules below in the attachement. The single port forwarding rule is currently not set, unlike shown in the attachment.

Now in order to forward port Z to port L as stated above, I assume I need to add an ACL rule allowing traffic from port Z (source WAN) into LAN from any IP to either server or any IP. Perhaps however I need to use port L in the ACL rule (depending on how the wrvs4400n looks at these ports/rules). Also, in order to avoid problems I assume I need to change the ranged forwarding to exlude port Z (and L?) (otherwise Z would be set to forward to both Z and L which would be weird).

Regardless however thank you very much for your assistance so far! Your post really did help me out (as I can but assume I was thinking in the wrong way before reading it). I've tried to reply as clear as possible both to do right to your post and to help anyone else with the same problem. If I failed to be clear enough please let me know and I'll try to clarify.




This Discussion