Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

RV042 One to One NAT Failing

Just purchased a RV042 for our office. We have an IP block of addresses, and 3 webservers. Configured the primary interface with 1st usable IP in the block, then set up one-to-one NAT for the next 3 public IP's directed to 3 private LAN IP's of servers using the range option. Then, seeing that the firewall allows all traffic to the NAT'd LAN IP's by default, I set ACL's 1st to allow http traffic from any to any, as well as a blanket deny for all other services. Worked for about 15 minutes, then couldn't hit servers from external source. I also noticed that even though I had "disabled" remote GUI, it was still possible to bring up login prompt. Figured that was a result of allowing http any in the ACL, so edited that ACL to allow http from any to only the 3 private IP's / webservers using internal LAN IP's. Again, worked for about 15 minutes and then stopped. Disabled "Block WAN Requests" and built an ACL to allow ping through, restarted router, began ping -t against one server. Worked again for about 15 minutes and died. Stock firmware matches latest firmware from Cisco site (1.3.12.19-tm), although I havn't tried reflashing. Anyone have any thoughts?  Is One-to-One NAT broken on these units?

Everyone's tags (2)
1 REPLY
Cisco Employee

Re: RV042 One to One NAT Failing

When applying One-to-One NAT it is best not apply any ACLs for specific ports. When the ACL or port forward rules are applied to a NAT'ed address we tend see the behavior you have.

What I would do is this; since you are running web is place the web servers in the DMZ and apply your public IPs to each server's Private IP, or if needed just add the range to the DMZ. That would depend on what you need to have available on the web.

Once they are in the DMZ then you can go ahead and create ACLs to only allow certain services available on the web; like port 80. Since this is a brand new deployment I would go ahead and default the router, apply FW again and start fresh. Sometimes code likes to hang out and cause grief. Let us know if you still run into issues.

1685
Views
0
Helpful
1
Replies