cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1342
Views
0
Helpful
6
Replies

SRP547W Cannot Create Advanced Firewall Rules

jketteridge
Level 1
Level 1

Hi Everyone, in advance, thank you for your assistance.


I have a SRP547W that I have configured the following way:

LAN 192.168.15.1/24 VLAN1

LAN 10.10.10.1/24 VLAN10

LAN 10.10.2.1/24 VLAN100

PPPOE ADSL

Software DMZ going to 10.10.10.x and another to 10.10.2.x - this is working OK

I now want to use the Advanced Firewall features to block all ports except those that I need as the software DMZ forwards everything.


When I try to create the rules I get "the values are invalid" message no matter what I try.

I want to create explicit allow rules, followed by a deny all rule for each of the IP addresses used for the software DMZ

I thought I should make them like this? Can you please confirm? Have I got the Subnet Mask Correct for the Destination IP? Or should it be 255.255.255.0? It doesnt make a difference either way

Policy Details
Name
Value
Source IP Address0.0.0.0
Source Subnet Mask0.0.0.0
Destination IP Address10.10.10.x
Destination Subnet Mask255.255.255.254
ProtocolAny
Source PortAny
Destination Port443
ActionPermit
ScheduleEveryday
Times24 Hours

Thank you!

2 Accepted Solutions

Accepted Solutions

Hi Jai,

Firstly, I'd recommend that you upgrade to the current firmware posted on Cisco.com - this is what I tested with earlier and it worked.

So assuming you have two software DMZ entries, lets say:

1.1.1.165 -> 10.10.10.100 and

1.1.1.166 -> 10.10.2.100

Create rules as follows:

1. From WAN1 to LAN10, source 0.0.0.0/0.0.0.0 dest 10.10.10.100/255.255.255.255 proto TCP sport any dport 443 permit

2. From WAN1 to LAN100, source 0.0.0.0/0.0.0.0 dest 10.10.2.100/255.255.255.255 proto TCP sport any dport 443 permit

3. From WAN1 to any, source 0.0.0.0/0.0.0.0 dest 10.10.0.0/255.255.0.0 proto any sport any dport any deny

Make sure that the priority of the rules are in that order.

Cheers

Andy

Sent from Cisco Technical Support iPad App

View solution in original post

Excellent - thanks Jai,

Please feel free to mark this conversation as answered.

Regards,

Andy

View solution in original post

6 Replies 6

Andrew Hickman
Cisco Employee
Cisco Employee

Hi Jai,

I've just been trying this myself and my system seems to be taking the configuration and working correctly.

A few questions - just to make sure I understand what you have written.

Software DMZ maps a public host address directed to a WAN interface to a private IP address on a LAN interface.  So where you have written:

Software DMZ going to 10.10.10.x and another to 10.10.2.x - this is working OK

I assume you have created rules with specific public and private host addresses?

As you have used in your example, the destination address must be the translated private address, not to public address to which traffic was sent to remotely.

Which firmware release are you using?

Regards,

Andy

Thanks for the reply Andrew. I have 2 IPs routed to my WAN IP which I have setup in the Software DMZ.

xxx.xxx.xxx.165 - 10.10.10.x

xxx.xxx.xxx.166 - 10.10.2.x

These work fine, except there is not a single port blocked right now! (Relying on Windows Firewall)

No matter what type of rule I try to make in the Advanced Firewall settings all entries come up with Values are Invalid. Even after a reboot. Is my subnet mask for the destination IP correct as 255.255.255.254 ? ive tried every combination of 255 as well as 0.0.0.0 to no avail

Model:SRP547W, ADSL2+ AnnexA, 802.11n ETSI, 4FXS/1FXO
Version ID:V02
Hardware Version:3.1.0
Boot Version:1.1.19 (Aug 24 2010 - 20:50:42)
Firmware Version:1.02.01 (023) Aug 12 2011
ADSL Firmware Version:0.72.0
Recovery Firmware:1.02.00 (023)
Setup Wizard Version:20110728.00

Thanks again

JK    

Hi Jai,

Firstly, I'd recommend that you upgrade to the current firmware posted on Cisco.com - this is what I tested with earlier and it worked.

So assuming you have two software DMZ entries, lets say:

1.1.1.165 -> 10.10.10.100 and

1.1.1.166 -> 10.10.2.100

Create rules as follows:

1. From WAN1 to LAN10, source 0.0.0.0/0.0.0.0 dest 10.10.10.100/255.255.255.255 proto TCP sport any dport 443 permit

2. From WAN1 to LAN100, source 0.0.0.0/0.0.0.0 dest 10.10.2.100/255.255.255.255 proto TCP sport any dport 443 permit

3. From WAN1 to any, source 0.0.0.0/0.0.0.0 dest 10.10.0.0/255.255.0.0 proto any sport any dport any deny

Make sure that the priority of the rules are in that order.

Cheers

Andy

Sent from Cisco Technical Support iPad App

Working as desired with new Firmware from Feb 2012 and the 255.255.255.255 subnet.

I hadnt checked for firmware for the past 6 weeks because ive had this issue that long and not bothered to fix it


Thanks again

JK

Excellent - thanks Jai,

Please feel free to mark this conversation as answered.

Regards,

Andy

All working as expected now (minor glitch on one of my rules) but having deny all rules as the last priority and open ports in early priority is working great! Cheers Andrew    

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: