Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4385
Views
0
Helpful
10
Replies

RV082 port forwarding and access rules

edisoninfo
Level 1
Level 1

‎03-23-2012 02:10 PM

I have found numerous posts discussing this but have yet to find a solution. I have an RV082 with firmware  2.0.0. 2.0.0.19-tm and I need a way to limit the incoming smtp traffic to just the spam filtering company.

I have a port forwarding rule to forward WAN1 port 25 traffic to 192.168.1.10

I tried to add an access rule to deny all port 25 and then added one to allow WAN1 port 25 source <spam company> destination 192.168.1.10

The RV082 log screen shows the traffic allowed but it does not work. If I uncheck the 'enable' box on the DENY port 25 rule email is still blocked. Only when I uncheck the 'enable' box on the ALLOW rule does email start flowing again. 

Labels:
0 Helpful
10 Replies 10

josejack
Cisco Employee
Cisco Employee

‎03-25-2012 11:21 AM

Hello Gary,

From the sounds of it, I think your access rules may be out of order. On the firewall, I would try to configure the following in this order:

1. A rule allowing port 25 from to 192.168.1.10

2. A rule denying source port 25 destination

Additionally, I would recommend upgrading the firmware to the latest version of 2.0.2.01.

Give this a try, If you have any further issues, let me know.

0 Helpful

edisoninfo
Level 1
Level 1
In response to josejack

‎03-25-2012 06:43 PM

I tried the update to 2.0.2.0.1 but that did not help. Nothing in the read.me file indicated it would but I tried it anyway. I do have the rules in the correct order. I have done this many times with the higher end Cisco routers and it works fine. The RV082's apparently have a problem. I reset the access rules back to the defaults and only added one "Allow" rule for port 25 from my office IP address. That is it. Since it is an "Allow" rule I would have expected it to not have any affect on anything since it is not denying anything. Wrong. I can not telnet to port 25 anymore. I then changed the rule to "Allow" everything from my IP address, not just port 25. That locked me out of the router totally. I had to log in via a different IP address and delete that rule. It seems any access rule at all makes this thing choke.

And yes, I have several clients with these RV082 routers so I tried the same experiement on each one and they all act the same way. The access rules feature just plain does not work on these.

0 Helpful

josejack
Cisco Employee
Cisco Employee
In response to edisoninfo

‎03-26-2012 05:10 AM

Hello Gary,

Thank you for your response. Could you refer to the following post: https://supportforums.cisco.com/message/3453760#3453760

Is this how you have your port forwarding and access rule setup?

0 Helpful

edisoninfo
Level 1
Level 1
In response to josejack

‎03-26-2012 05:37 AM

Yes, I found that post in my searches. As I mentioned tho, I don't even have to add the deny rule, just the allow rule and that kills the connection.

0 Helpful

josejack
Cisco Employee
Cisco Employee
In response to edisoninfo

‎03-26-2012 05:50 AM

Hello Gary,

Are you able to call the Cisco Support Center to open a Service Request? Is it possible to email me a screen shot of the RV082's access rule and port forwarding rule.

0 Helpful

josejack
Cisco Employee
Cisco Employee
In response to edisoninfo

‎03-26-2012 06:18 AM

Hello Gary,

The rules appear to be correct. and you are saying that when you enable the SMTP rules, you are locked out of the router, correct? I will try to test this myself today and get back with you when I am able to get some results.

0 Helpful

edisoninfo
Level 1
Level 1
In response to josejack

‎03-26-2012 06:27 AM

Correct. It is not there now but as a test I added a rule to my office IP and then tried to telnet to port 25. Even without the 'Deny' rule, I could no longer connect to the mail server.

When I telnet to port 25, I get:

Trying 111.222.333.444.   ...

Connected to mail.domain.com.

Escape character is '^]'.

Connection closed by foreign host.

The "closed" line appears after oh 10 seconds or so.

If I uncheck that rule, I connect immediately

0 Helpful

edisoninfo
Level 1
Level 1
In response to edisoninfo

‎04-11-2012 09:55 AM

Has there been any update on this issue? Please advise.

0 Helpful

rmanthey
Level 4
Level 4
In response to edisoninfo

‎04-11-2012 10:37 AM

Gary,

Is there any way you can provide a screen shoot of the routers ACL rule, or call in to the 1866-606-1866 support number so we can take a look through a webex?

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

0 Helpful

josejack
Cisco Employee
Cisco Employee
In response to edisoninfo

‎04-11-2012 10:55 AM

Hello Gary,

What you are experiencing is not the expected behavior of the router. . Try the following:

obtain a fresh copy of the firmware for the router by downloading it from the Cisco.com site.

In the Access Rules do the following:

Action: allow

Service: Port 25

Log: log packets match this rule

Source interface: ANY Source IP:

Destination IP:

*** This should allow your traffic into the router from the single IP address that you want to allow or the range

Then, create another rule.

Action: Deny

Service: Port 25

Log: log packets match this rule

Source: Any

Destination:

*** This should block other IP addresses from entering the router using port 25 to get to your private IP address.

I just configured this in the lab again, but instead of port 25, I used RDP 3389 so I was able to RDP only from the specified IP addesses. Could you try using a different service such as RDP, just to eliminate a service related issue, and try to configure the rule exactly as mentioned above. Once you have done this, please email me a screenshot to compare it to what I have in the lab.

Hope this helps.

0 Helpful
Customers Also Viewed These Support Documents