I have read through the manual. My question is what is the proper format to input into the ACL rule "Range"? Would as an example work-
192.168.0.1 - 126.96.36.199? Will the range effectively work? Or does it have to be 192.168.0.0 - 188.8.131.52? I am not a guru and couldn't find out the answer readily elsewhere. Any feedback would be appreciated.
It really depends on the other (ACL) settings as well; not just the subnet range. First this ACL will be blocking inside to outside? By default all outside to inside connection are blocked. So now based on your local subnet and other information. Can you be more specific on what you are trying to accomplish?
Basically I'm adding my own firewall rules to block a range of ip addresses from different domains that have been spamming our mail server for ages. In the web interface- ACL list, I fill out one custom rule per domain. I fill out-- Block--from WAN--Range (which my question was about)-- then All LAN addresses--- and the rule is in effect always(7days,24hrs a day) Actually I found out this morning that there is also a limit on the amount of custom rules. It just happens to be 50,which was not spec'ed out in the manual. I know the router just went end-of-life and will probably be looking for a new one soon. We are just a small company and I take care of the web, mail,and database servers in addition to the regular desktops,so throughput never sems to be an issue. Also thanks for the response. Dave
So you're hosting your own exchange server or e-mail behind the RVS4000? ACL's are generally a risky thing when trying to block spammers. Normally spammers use a spoofed public ip address (relayed). I seen where it looked like the e-mail was sent from the same domain as the user receiving it. Again you really need a device or service that is strictly set for monitoring spam for your e-mail servers. I work with the Cisco Spam and Virus Blocker so I do know a lot about e-mail.
You can set up ACL’s but be prepared to consistently change or alter them every 24 hours. I had this one customer getting 90,000 a day. I setup ACL’s temporary until we could find out why he was getting through our Spam and Virus Blocker, less than 16 hours this guy was already sending back to my guy’s domain, I was amazed. Basically my customer had opened his blocker up to accept/relay e-mails all domain.
Since on your ACL’s inbound you have a deny all but since you’re hosting e-mail server you’ll need to write ACL’s based on port 25 source and destinations. Source will be domain/public ip address you trying to block and destination will be your e-mail server. Once you make your deny statements you’ll need to make a allow all statement for the rest of your e-mail traffic on port 25
I understand what you are saying. But my question still is what is a legitimate range that would be filled in in the range boxes? The logging in this router is terrible and I will not know if I put a range that the firewall doesn't understand basically making the rule useless. Also I block all ports because the few domains that I am working with do not always spam the mail server, I also get web server attacks from the same domains. I'm sure it's the work of a botnet and I probably won't stave them off for long,but the domains that ip addresses are from are unbelievably static and resolvable. I do run spam software on the mail server (Linux) and that catches almost 90 some percent of the spam. Again thanks for the response Dave
You wrote "I understand what you are saying. But my question still is what is a legitimate range that would be filled in in the range boxes?" I’m guessing you’re still talking about your private range (you would want to include the whole range of address’s that’s located on your subnet. So if the RVS4000 range is 192.168.1.x-192.168.1.255 for the destination you just need to include the ranges that’s the RVS4000 have. You can have up to 4 Vlans with 254 hosts that 4 class C subnets.
Ex – vlan 1 ••à192.168.0.0-192.168.1.255
Vlan 2 ••à192.168.1.0-192.168.2.255
Vlan 3 ••à192.168.2.0-192.168.3.255
Vlan 4 ••à192.168.3.0-192.168.4.255
Now you could include this range by specifying a subnet make of 255.255.252.0 which will include all four ranges with this mask.
First of all I appreciate your patience. I am talking about blocking internet ip addresses, not my lan ip addresses. I'll try this as an example. Say Google had a range of public ip addresses- 184.108.40.206 -220.127.116.11. And I want to block them from any access to my router inbound. Now back to my question, can I in the range boxes fill in those exact ip addresses and have them be blocked properly? Will the range extend beyond the 1st 254 ip's and be covered? Or is the range as far as the router firewall rules be 18.104.22.168-22.214.171.124, the the next rule would be 126.96.36.199-188.8.131.52 an so on and so forth? Is there an easier way using the subnet? I'll have to bone up on my networking, but I'm trying to find out what the "router" expects.
From the manual-
Source - The source IP address, which can be one specific IP address, ANY (all IP
addresses), a range of IP addresses, or a specific IP subnet.
Since you're a member look under my profile and send me an e-mail with a screen shot of your rules. Also send me the public ip address you're trying to block. Ill show you based on your screen shot and other information how this should be configured.
Hi every one!!!When you are configuring a remote VPN connection, there
are some steps that are lost on the path. Here you can see those steps.
A) In your Cisco device: 1. Ensure you don´t have any rule denying the
traffic between the device and the remote...
** Update **These and a number of other issues have been addressed in
SRP520 MR3. Please see https://supportforums.cisco.com/docs/DOC-13853
for details on how to access this code.There have been a number of
reports of the SRP500 becoming unresponsive afte...
STANDARDSOURCECOMMENTSEthernet RJ-45 connector pin number12345678IEEE
802.3afusing data pairsRXDC+RXDC+TXDC-sparespareTXDC-sparespareIndustry
Standard for Embedded POE(used by Cisco Catalyst Switches)IEEE
802.3afusing spare pairs RXRXTXDC+DC+TXDC-DC-Indus...