Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

RVS4000 IP Based ACL and NAT

Hi,

I'm having an issue with a Linksys RVS4000 which doesn't appear to be behaving as I think it should.

I need to forward a port (Single Port Forwarding) through to an internal NAT host. However, I only want that host/port to be accessible from one host on the internet, for security reasons.

I have created the port forwarding entry and this works fine. I then created two rules in IP Based ACL - one to block all access to that port from the WAN interface and one to allow access from a single host.

However, it appears that when a port forwarding entry is added, it will completely bypass the ACL and allow all traffic for that port/host by default.

Is this the correct behaviour?

Firmware version is v1.2.11

Regards,

Adam

12 REPLIES

Re: RVS4000 IP Based ACL and NAT

In your scenario, please ensure the Allow rule has Priority 1 and the Deny rule has Priority 2, so the Allow rule gets the higher priority when RVS4000 inspects the incoming packets.

New Member

Re: RVS4000 IP Based ACL and NAT

Hi,

Thank you for replying. However I have already tried as you have suggested and it is still not working.

My Single Port Forwarding looks like this:

Application: SMTP External Port: 25 Internal Port: 25 Protocol: TCP IP Address: 192.168.xxx.xxx Enabled: Yes

My rules in IP Based ACL look like this (columns from left to right):

1 YES Allow SMTP WAN 203.xxx.xxx.xxx 192.168.xxx.xxx Any Time Every Day  
2 YES Deny SMTP WAN ANY ANY Any Time Every Day 

My goal is to only allow 203.xxx.xxx.xxx to have access to port 25 on 192.168.xxx.xxx. However, even with the rules above enabled, all external hosts have access to port 25 on 192.168.xxx.xxx.

New Member

Re: RVS4000 IP Based ACL and NAT

Good Afternoon,

The RVS4000 router allows Port forwarding to take precedence over ACL's.

The router by design will forward the traffic thru it before it looks at any ACL's

I hope this gives you the answer you are looking for..

New Member

Re: RVS4000 IP Based ACL and NAT

Hi,

Thank you - that answers my question.

I will be returning the router to point of purchase as with this limitation it doesn't meet my requirements.

Regards,

Adam

Re: RVS4000 IP Based ACL and NAT

Please consider making a call to Cisco Tech Support as I do not believe your scenario cannot be supported by RVS4000.

New Member

Re: RVS4000 IP Based ACL and NAT

I have the same problem with latest firmware V1.3.2.0. I also do not believe this conjunction IP ACL with port forwarding does not work.

Please, tell me the final resolution.

Thank You

New Member

RVS4000 IP Based ACL and NAT

I just upgraded to 1.3.3.5 and this is still an issue. Why would you bypass the ACL's because of port forwarding? that is the stupidest thing I ever heard of. This is why I ALWAYS recommend Sonicwall and Fortigate. Coming from Cisco, a LEADER in networking and security I expected better!

Re: RVS4000 IP Based ACL and NAT

The RVS4000 router allows Port forwarding to take precedence over ACL's.

The router by design will forward the traffic thru it before it looks at any ACL's

I hope this gives you the answer you are looking for..

The above is an incorrect statement. ACL rules WILL be applied on top of the forwarding rules.

If the router does not behave correctly, please consider contacting SBSC to get the support.

New Member

RVS4000 IP Based ACL and NAT

Great! So please explain why I have ACL's to deny the whole APNIC and I still see it in my log files as being forwarded on?

Re: RVS4000 IP Based ACL and NAT

Could you post youe ACL config page and port forwarding page?

New Member

RVS4000 IP Based ACL and NAT

New Member

RVS4000 IP Based ACL and NAT

Unless I am reading this incorrectly, here is the log clearly showing ip's in the deny ranges being forwarded.

5881
Views
0
Helpful
12
Replies