cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7142
Views
0
Helpful
18
Replies

RV220W - in routing mode changes external Ip with router IP

Catalin Burla
Level 1
Level 1

Good day.

I just installed one RV220W in my network, in routing mode (not NAT) using on WAN port public Ip 193.111.184.xxx and on LAN side on IP from my company public C class (212.100.143.0). It's working, but main ang huge problem is than Router is changing any IP coming from intenet with it's own 212.100.143.xxx IP, which mess up everything (logs, counters, etc).

It was using 1.0.1.0 firmware, I switched to 1.0.0.26 but nothing changed.

Also I have a VPN - gate to gate with another location (RV042), and all computers from other side of tunnel reports same router IP 212.100.143.xxx when accesing servers from my side, which also is bad.

Previously I user an RV082 for this joB and everything was great, except 100 Mb WAN/LAN ports of RV082, which I will use until get Rv220W working right.

Any idea is apreciated.

Thank you,

Catalin Burla

18 Replies 18

gctwnl001
Level 1
Level 1

I have changed this weekend from a DSL using a Linksys by Cisco WAG54G2 to a Cisco RV220W Small Business Router and just found out the same problem. This is serious for me, for one, it completely destroys SPAM blocking with DNS blacklists.

This is how it looked when using the linksys:

Apr  9 03:18:17 vanroodewierda postfix/smtpd[49507]: connect from 189-041-10-204.xd-dynamic.ctbcnetsuper.com.br[189.41.10.204]

Apr  9 03:18:18 vanroodewierda postfix/smtpd[49507]: NOQUEUE: reject: RCPT from 189-041-10-204.xd-dynamic.ctbcnetsuper.com.br[189.41.10.204]: 554 5.7.1 Service unavailable; Client host [189.41.10.204] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=189.41.10.204; from=<no-reply005@job.com> to=<d091c4bd-0476-11d7-aba4-0003930ad8a4@rna.nl> proto=ESMTP helo=<189-041-10-204.xd-dynamic.ctbcnetsuper.com.br>

This is how it looks when using the RV220W:
Apr 10 18:34:29 vanroodewierda postfix/smtpd[31608]: connect from ciscorouter.rna.nl[192.168.2.254]
And thus DNSBL is not possible. My RV220W uses One-to-One NAT to route one of the 5 outside WAN IP addresses I to the mail server on the LAN. Because I do not get the external IP address passed on to the inside, postfix has nothing to go on. I tried instead to use the  normal port forwarding in the IPv4 rules on my main WAN IP address, but that doesn't help.
How and where can I report this and how long will it take Cisco to fix something like this? Because this is very important for me (and my users) and I'll have to return the router and buy another brand if it takes too long.

gctwnl001
Level 1
Level 1

There is a second nasty effect of this. My machines on the LAN are protected by a firewall. This firewall has different rule sets for the LAN (192.168.x.x) and for the rest.

WIth the translation by the RV220W of all external IP's to an internal one, all external traffic has now become elevated to 'internal' status.

One other possible effect (apart from what a firewall thinks) is that if for instance your mail server only relays for the internal LAN, any host on the internet has now become 'the internal LAN' and in effect your RV220W has turned your mail server into an open relay on the internet. This is not what Cisco wants to promote, I think.

gctwnl001
Level 1
Level 1

I had a look at a lot of info, and it starts to look to me that the RV220W not only hides the LAN form the WAN, but also the other way around. So, an SMTP-client from the outside will be translated to the inside IP address of the router (e.g. 192.168.1.1) and a free port will be found for the mapping.

If you cannot turn this off, it seems to me a terrible error.

Catalin Burla
Level 1
Level 1

Good day,

Yes, blacklist, spam , etc are off using RV220W. You should see my mail server with more than 250.000 spam mail in queue:(

Another strange behaviour is if you have static route added to RV220W on LAN side  and you are using Microsoft ISA Server, as changing IP will cause ISA to block traffic.

Sadly but true, Cisco Rv220W is on a shelf waiting for better days, and, hopefully an answer and solution from CISCO.

Cheers

It sems to me that the RV220W is doing NAT both ways. It does not only hide the internal net from the outside, but it also does hide the external net from the inside.

For me, I cannot put it on a shelf. This is my only router which I bought for my migration to another IP. So, either this gets fixed real soon, or I have to return the item and buy an alternative.

gctwnl001
Level 1
Level 1

I have returned the router and decided not to bother with Cisco Small Business Routers for the foreseeable future. Too bad. Hardware wise, this is a neat package. Software wise it is so immature that it is in need of some serious Cisco corporate attention, lest it (and others of this software base) significantly start to hurt Cisco's brand image.

Catalin Burla
Level 1
Level 1

Still same situation, which is BAD, really really BAD.

If the issue persists, would you consider giving a call to the Support Center?

jda
Level 1
Level 1

Same situation here, my mail server see all the email as if they were coming from the RV220W, i had to disable most of the ant spam cause exchange was rejecting email (Sender ID for example), the strange thing is that i have a RV120W deployed in another site and the problem is no present.

Is the problem known by Cisco? We have to upgrade most of our site vpn router and I would love to deploy the RV220W but with this bug it’s impossible!

This is what the headers looks like:

Received: from ABTS-North-Dynamic-168.4.68.182.airtelbroadband.in
(10.88.88.254) by dh-ms5.xxxx.com (10.88.88.25) with Microsoft SMTP Server
id 14.1.289.1; Wed, 4 May 2011 13:53:49 +0200
Received: from [168.181.51.213] (account snailingy9424@gmail.com HELO
xdxxctygzfghp.rbmlyilqymd.su) by
ABTS-North-Dynamic-168.4.68.182.airtelbroadband.in (CommuniGate Pro SMTP
5.2.3) with ESMTPA id 304829780 for ....

Hi

Got in touch with Cisco, give them remote access to router, also config file and network topology (yesterday, 03.05).

Now waiting for something good to come out. Will inform you.

Best regards,

Catalin Burla

jda
Level 1
Level 1

Great, the bug is so obvious i just can’t imagine that they could miss it. Let’s just hope they don’t take too long to release a fix.


It might come from the ProtectLink Web or the VPN SSL (where the port forwarding is mentioned) cause it’s the only difference with the RV120W

jda
Level 1
Level 1

Can't they fix this it's a very stupid bug i can't understand how such a bug could make it on a sisco product, i’m having other kind of problems related to wsus and ActiveDirectory /dns because of that.

How can I report this further I’m not familiar with the process ?

Bad news is that "support" cannot reproduce error in their lab, and their conclusion was that is something wrong with my network. Funny, no?

Yes, I am dissapointed too.  I am back on old RV082.

To report you have 2 opttions: call support on phone numbers listed for your country or web.

Good luck,

Catalin

Ok i have reached the support; they will try to reproduce the problem.

Meanwhile on my side I’ll try to setup an easily reproducible scenario for them.

But I can confirm that the bug is general, I mean it also append in site to site ipsec tunnel, all the computer that goes thru the vpn and end up in the LAN part after the RV220 seems to be coming from the RV220 ip itself.

It renders RPC connection completely unstable and broke the Active Directory replication and the DFS-R on my remote site.

I’m back on the RV082 too, I keep you informed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: