02-28-2012 12:17 PM
Hi Everyone, in advance, thank you for your assistance.
I have a SRP547W that I have configured the following way:
LAN 192.168.15.1/24 VLAN1
LAN 10.10.10.1/24 VLAN10
LAN 10.10.2.1/24 VLAN100
PPPOE ADSL
Software DMZ going to 10.10.10.x and another to 10.10.2.x - this is working OK
I now want to use the Advanced Firewall features to block all ports except those that I need as the software DMZ forwards everything.
When I try to create the rules I get "the values are invalid" message no matter what I try.
I want to create explicit allow rules, followed by a deny all rule for each of the IP addresses used for the software DMZ
I thought I should make them like this? Can you please confirm? Have I got the Subnet Mask Correct for the Destination IP? Or should it be 255.255.255.0? It doesnt make a difference either way
Policy Details | |||
| Value | ||
Source IP Address | 0.0.0.0 | ||
Source Subnet Mask | 0.0.0.0 | ||
Destination IP Address | 10.10.10.x | ||
Destination Subnet Mask | 255.255.255.254 | ||
Protocol | Any | ||
Source Port | Any | ||
Destination Port | 443 | ||
Action | Permit | ||
Schedule | Everyday | ||
Times | 24 Hours |
Thank you!
Solved! Go to Solution.
03-01-2012 03:00 PM
Hi Jai,
Firstly, I'd recommend that you upgrade to the current firmware posted on Cisco.com - this is what I tested with earlier and it worked.
So assuming you have two software DMZ entries, lets say:
1.1.1.165 -> 10.10.10.100 and
1.1.1.166 -> 10.10.2.100
Create rules as follows:
1. From WAN1 to LAN10, source 0.0.0.0/0.0.0.0 dest 10.10.10.100/255.255.255.255 proto TCP sport any dport 443 permit
2. From WAN1 to LAN100, source 0.0.0.0/0.0.0.0 dest 10.10.2.100/255.255.255.255 proto TCP sport any dport 443 permit
3. From WAN1 to any, source 0.0.0.0/0.0.0.0 dest 10.10.0.0/255.255.0.0 proto any sport any dport any deny
Make sure that the priority of the rules are in that order.
Cheers
Andy
Sent from Cisco Technical Support iPad App
03-02-2012 02:42 AM
Excellent - thanks Jai,
Please feel free to mark this conversation as answered.
Regards,
Andy
03-01-2012 04:23 AM
Hi Jai,
I've just been trying this myself and my system seems to be taking the configuration and working correctly.
A few questions - just to make sure I understand what you have written.
Software DMZ maps a public host address directed to a WAN interface to a private IP address on a LAN interface. So where you have written:
Software DMZ going to 10.10.10.x and another to 10.10.2.x - this is working OK
I assume you have created rules with specific public and private host addresses?
As you have used in your example, the destination address must be the translated private address, not to public address to which traffic was sent to remotely.
Which firmware release are you using?
Regards,
Andy
03-01-2012 05:43 AM
Thanks for the reply Andrew. I have 2 IPs routed to my WAN IP which I have setup in the Software DMZ.
xxx.xxx.xxx.165 - 10.10.10.x
xxx.xxx.xxx.166 - 10.10.2.x
These work fine, except there is not a single port blocked right now! (Relying on Windows Firewall)
No matter what type of rule I try to make in the Advanced Firewall settings all entries come up with Values are Invalid. Even after a reboot. Is my subnet mask for the destination IP correct as 255.255.255.254 ? ive tried every combination of 255 as well as 0.0.0.0 to no avail
Model: | SRP547W, ADSL2+ AnnexA, 802.11n ETSI, 4FXS/1FXO |
Version ID: | V02 |
Hardware Version: | 3.1.0 |
Boot Version: | 1.1.19 (Aug 24 2010 - 20:50:42) |
Firmware Version: | 1.02.01 (023) Aug 12 2011 |
ADSL Firmware Version: | 0.72.0 |
Recovery Firmware: | 1.02.00 (023) |
Setup Wizard Version: | 20110728.00 |
Thanks again
JK
03-01-2012 03:00 PM
Hi Jai,
Firstly, I'd recommend that you upgrade to the current firmware posted on Cisco.com - this is what I tested with earlier and it worked.
So assuming you have two software DMZ entries, lets say:
1.1.1.165 -> 10.10.10.100 and
1.1.1.166 -> 10.10.2.100
Create rules as follows:
1. From WAN1 to LAN10, source 0.0.0.0/0.0.0.0 dest 10.10.10.100/255.255.255.255 proto TCP sport any dport 443 permit
2. From WAN1 to LAN100, source 0.0.0.0/0.0.0.0 dest 10.10.2.100/255.255.255.255 proto TCP sport any dport 443 permit
3. From WAN1 to any, source 0.0.0.0/0.0.0.0 dest 10.10.0.0/255.255.0.0 proto any sport any dport any deny
Make sure that the priority of the rules are in that order.
Cheers
Andy
Sent from Cisco Technical Support iPad App
03-01-2012 04:46 PM
Working as desired with new Firmware from Feb 2012 and the 255.255.255.255 subnet.
I hadnt checked for firmware for the past 6 weeks because ive had this issue that long and not bothered to fix it
Thanks again
JK
03-02-2012 02:42 AM
Excellent - thanks Jai,
Please feel free to mark this conversation as answered.
Regards,
Andy
03-02-2012 06:41 PM
All working as expected now (minor glitch on one of my rules) but having deny all rules as the last priority and open ports in early priority is working great! Cheers Andrew
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: