Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5916
Views
0
Helpful
5
Replies

RV042 portforwarding overrule firewall rule?

jesperkpedersen
Level 1
Level 1

‎11-02-2011 12:50 AM

We have a setup where our e-mail server is hosted in-house.

Our network is connected through a RV042 gateway.

Port 25 is forwarded to our internal e-mail server.

Our smtp service should be limited to receiving incomming connections only from 4 specific ip ranges which I set up in the firewall rules.

The reason is that all smtp is managed and protected by an external anti-spam/vires provider.

However it looks like any computer is able to connect to our port 25 and be forwarded to our e-mail server.

Does portforwarding overrule firewall rules - ie. you can not limit access with the firewall if you decide to port forward?

Is this a "fixable" situation - or is the RV042 not built for handling this setup?

Labels:
0 Helpful
5 Replies 5

jesperkpedersen
Level 1
Level 1

‎11-02-2011 05:01 AM

After a bit of trial and error the sollution was to specifically add a deny rule.

The default rule of

DenyAll Traffic [1]WAN1AnyAnyAlways

Was not enough to drop traffic - we had to add a rule that specifically dropped traffic that was not accepted.

0 Helpful

Te-Kai Liu
Level 7
Level 7

‎11-02-2011 06:09 AM

This link might help.

https://supportforums.cisco.com/message/3467147#3467147

0 Helpful

jesperkpedersen
Level 1
Level 1
In response to Te-Kai Liu

‎11-02-2011 06:46 AM

The above link did not really help.

The default rules seems not to be honored when adding portforwarding.

We have from IP ranges (from our SMTP anti-spam/anti-virus provider) that should be allowed to access our SMTP server.

What I did (that did not work) was :

1. Added port forwarding on WAN1 port 25 to LAN SMTP server port 25

2. Added 4 rules to allow for the 4 IP ranges to accept connection

3. Tested from the 4 ip ranges if connection was accepted and mail delivery was possible - checked OK

4. Tested from outside the 4 ip ranges if connection was accepted and mail delivery was possible... IT WAS POSSIBLE TO CONNECT

The fix was to add a rule after the 4 smtp accept rules to deny all access to port 25.

What this indicates to me is that the default deny rule that deny all traffic on WAN1 was not honored on port forwarding.

0 Helpful

Te-Kai Liu
Level 7
Level 7
In response to jesperkpedersen

‎11-02-2011 06:54 AM

Once a port forwarding rule is added, all IP addresses on the WAN side are allowed to access the specified internal address. That's why a Deny rule is needed to undo the above. This has been the way the product behaves from day one.

Allow     SMTP       WAN1     [specific IP]     [private address]

Deny     SMTP       WAN1     Any                 [private address]

0 Helpful

jesperkpedersen
Level 1
Level 1
In response to Te-Kai Liu

‎11-02-2011 06:58 AM

When looking at the rules - there is a default "deny all" rule, which is why having to add an extra deny rule was counter intuitive. But now that we know it - I should hopefully be able to get it right on the next firewall rules we need to add

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents