We have 5 static ip's and need to create rules that allow outside wan traffic (from specific ip's or all ip's depending on the lan device) to connect directly to devices on our lan. One static ip connects to our security dvr (allow all traffic) and another would point to our business application server and this is limited by a single ip. We have all of these currently set up with our Netgear ProSafe but I have not found where this is available in the RV325. Any help would be appreciated. Mark
Hope you are doing well today. On the RV325, the feature you are looking for is one-to-one NAT. According to the admin guide:
"One-to-one NAT creates a relationship that maps a valid WAN IP address to LAN IP addresses that are hidden from the WAN (Internet) by NAT. This protects the LAN devices from discovery and attack. For best results, reserve IP addresses for the internal resources that you want to reach through one-to-one NAT. You can map a single LAN IP address or a range of IP addresses to an external range of WAN IP addresses of equal length (for example, three internal addresses and three external addresses). The first internal address is mapped to the first external address, the second IP internal IP address is mapped to the second external address, and so on.."
Yes, you could restrict who accesses your internal devices by using the ACL's in the firewall configuration. I would have to set it up in the lab, but I think that NAT translation occurs before ACL evaluation. So your ACL may have to be configured to PERMIT remote public IP address to local LAN private IP address. I can test it in the lab and let you know the results. Thanks Mark.
OK, in my lab, here is what I configured and the results. I have a PC with a private 192.168.1.100. I have a WAN address XX.XX.XX.70 on the RV325. I configured under one-to-one NAT, WAN xx.xx.xx.71 to 192.168.1.100. Then under Firewall>Access Control, I created a rule, with priority 1, source interface WAN1, PERMIT SOURCE remote public IP address of device I wanted to be able to download a file via tftp, 68.xx.xx.xx TO the DESTINATION private address of the PC running as a tftp server, 192.168.1.100. Then, I created a rule with priority 2, source interface WAN1, DENY ANY SOURCE address to DESTINATION address 192.168.1.100.
I was then able to CONNECT to the xx.xx.xx.71 address from the 68.xx.xx.xx remote PC and download from the 192.168.1.100 internal tftp server. I then tried to download the same file from a remote address 97.xx.xx.xx to the xx.xx.xx.71 address, but the download failed. I flipped back to the 68.xx.xx.xx address and was able to download again. Flipped back to the 97.xx.xx.xx address and the download failed.
So in the lab, this configuration limited access to an internal tftp server that had One-to-one NAT configured along with the ACL's I have described to allow only the ALLOWED public address to connect. Hope this helps. If you do have further issues after you attempt this config, please call the SMB support team at 1-866-606-1866 and we will assist if the configuration is not working as described. Thanks Mark and have a great day.
Can you think of any rules that need to be added to allow our 2nd office that connects by vpn gateway with another RV325. When this rule is enabled:
source interface WAN1, DENY ANY SOURCE address to DESTINATION address 192.168.1.100.
we can scan and see both lans, but we are not able to run our applications that connect to the 1.100 address above, as well as VNC. Rule turned off-works great, rule enabled, no-go.
With the rule enabled we were not able to connect with (2) separate ez vpn clients used by remote users. I added an Allow from Wan->ip of client rule and it worked with Deny Any Source enabled. Any suggestions please
Our RV325 is connected to a Comcast supplied Netgear CG3000 DCR Gateway Modem. This was required by Comcast so they could load the block file for our (5) static ip's. Can our RV325 be configured to use our static ip's if we switch to a passthrough modem (Arris SB6141)? The reason I want to change is the Netgear supplied by Comcast has been reported to cause voice quality issues, and we definitely have them. If the RV325 will not work for the above please suggest another Cisco that will, it would need to connect our vpn as we now have with another RV325
Sorry, missed the first question. As long as the provider routes the public address to your router's WAN, ( I think that is what they mean by Valid WAN IP address), the router would be able to address those packets with the One-to-One configuration and forward them to the appropriate LAN IP address, as configured. I am starting to set this up in the lab and will update. Thanks Mark.
Hello, This article will describe how to configure PPTP VPN on the new
RV340/345 routers from the Small Business series. RV340/345
Configuration The first step is to enable the PPTP Server: Go to VPN ->
PPTP Server Change PPTP Server: from Off to On Selec...
Article ID:5748 Use TheGreenBow VPN Client to Connect with RV34x Series
Router Introduction A Virtual Private Network (VPN) connection allows
users to access, send, and receive data to and from a private network by
means of going through a public or share...
Article ID:5728 Configure a Teleworker VPN Client on the RV34x Series
Router Objective The Teleworker VPN Client feature minimizes the
configuration requirements at remote locations by allowing the device to
work as a Cisco VPN hardware client. When the T...