Cisco Routers :: RV042 Opens Ports 80 And 443 When HTTPS Enabled In Firewall?
Nov 15, 2011
I recently installed an RV042 v1.1 vpn router (older hardware revision but using the latest available firmware 1.3.12.19-tm) and set up VPN access with the QuickVPN client. QuickVPN requires that the HTTPS setting be enabled under the Firewall options, so I did. I then scanned our static IP with grc.com's ShieldsUP! to check for open or non-stealthed ports and discovered that ports 80 and 443 show as wide open, while port 113 is closed but not stealthed. If I disable the HTTPS setting under Firewall, then ports 80 and 443 become stealthed. Is there any way to use QuickVPN and keep these ports stealthed?
this is regarding my RV042. Its firmware version is v4.1.1.01-sp (Dec 6 2011 20:03:18), unchanged from how I received it. I purchased less than a month ago. I have a problem wherein the firewall behavior is not what I expect it to be, where I expect only allowed ports/services to be open to a given private IP from the outside but am finding that all are open to that private IP!
Let me describe the current configuration. I am going to blank out all digits of the public IP addresses when discussing them except for the final digits for security reasons.Router's WAN1 is set up as static, X.X.X.189. This is part of my public IP block. WAN2 is disabled. One-to-One NAT is enabled. Three instances of it are set up. One, for example is 192.0.2.89 (a private IP) mapped to X.X.X.180, a public IP, part of our public block. Forwarding is not enabled. There is no DMZ Host. That is set to 192.0.2.0. Firewall and SPI are Enabled. Access Rules for the firewall are set up in addition to the default rules which are present to Deny all traffic with WAN1 and WAN2 as the source from any source to any destination. This to me means that unless I set up Allow actions, there should be no access from the outside, WAN1. As an example of one of my Allow rules, I have this:
Action: Allow Service: HTTP Log: Not log Source interface: WAN1 Source IP: ANY Destination IP: Single, 192.0.2.89 Time: Always
My problem: My expectation is that based on the One-to-One NAT setting, the public IP X.X.X.180 is now associated with the private IP 192.0.2.89, but nothing from public to private is allowed unless allowed by the firewall, which is only set to allow HTTP / port 80 to 192.0.2.89. But the behavior is that 192.0.2.89 is, as presently configured, open to everything from the associated public IP, not just port 80, but all ports! It is as if my firewall rules have no impact whatsoever.
I have a RV042 router on a single WAN and an internal LAN. I have configured port forwarding as follows: HTTP[TCP/80~80]->10.0.0.6HTTPS[TCP/443~443]->10.0.0.6IMAP[TCP/143~143]->10.0.0.5IMAP SSL[TCP/993~993]->10.0.0.5SMTP SSL[TCP/587~587]->10.0.0.5
Everything works just fine when I have the firewall DISABLED. However, when I enable it the behaviour is erratic. 1 out of 10 attempts to connect to ANY port forwarded works. Almost all attempts time out. Notice that this happens even if using only the default firewall rules (which should be bypassed by the port forwarding as I read in other posts).
My second try was to create firewall rules manually, overriding the default ones. I tried adding rules from source WAN1 (where my connection is) to ANY and to SINGLE IP's on every port. Nothing seems to work.
I don't know what I'm doing wrong, this is really bugging me. I had to turn the firewall off so we can access our servers from outside the office. This shouldn't have to be done.
Just found out that my firewall is getting LOTS and LOTS of Blocked - SYN Flood entries. I think this is why we are having trouble with the firewall. Could this be the problem? I have no idea where all these SYN packets are coming from since they appear with spoofed IPs or come from different bots all over.
I am trying to block certain domain, i used "domain" and "domain.com" in the forbidden domains , but when people access the website as https://domain.com the website loads perfect. Http is block however. I tried to block "https://domain.com", but that didn't work.
I have an ASA 5505 running 8.4.4.1. I've configured three WAN interfaces and have assigned failover on one of them (we have two ISP's, and a total of 3 static IP's in 3 different subnets). I've noticed that all the traffic is flowing through only one of the three interfaces, but I need to allow incoming https traffic on the second WAN port so I can access our Exchange server (we already use https on the first WAN port to access another server).
[code] WAN1 is the default outgoing route and we've configured several incoming services on it (smtp and https for example) and appears to be working properly as mail is coming and going and users can access the RDS gateway.I need to configure WAN2 to accept https traffic and send it to our Exchange server to enable OWA (webmail) access.I've configured the same Access and NAT rules on all three WAN interfaces for smtp (but I suspect only the first one is currently functioning at this point, I'll test it next chance I get). I thought all I'd have to do is configure an access and NAT entry on WAN2 (same as on WAN1), but direct the traffic to the OWA server instead of the rds gateway server, but it is not working.
In the realtime log I can see that it appears to be receiving the traffic on the WAN2 IP, but seems to be passing this through to the inside via the WAN1 interface.
I've been having a lot difficulties to get Cisco RV042 v 3 run on both WLAN ports. I've tryed in Smart Backup Link and Load Balancing .... nothing.What I want to do is:
1 web server in LAN lets say IP 192.168.15.2 1 dns server in LAN lets say IP 192.168.15.4
I want to have the router running as Smart Backup Link in case one of the internet connections fails (I will say that the DNS server handles most of the domain names on the web server so it needs to be publicly available as well, and the main domain name of the web server is managed by independent DNS server somwhere in internet, so it has mechanism that can be use to change the entries let say DNS round robin way).
1. WLAN1 with PPPOE and WLAN2 with static ip by the second provider LAN fasion, ports forwarded to the web and the dns servers - NOT accesible. Router firmware latest version 4.
2. WLAN1 with static ip by the second provider LAN fashion, network normal operating but cannot access the server on port 80.
I have enabled SSH on my 3750 switches and notice that https is not working. Iam not sure they are related but seems to be oddly coincidental. Therefore find it diffficult to monitor using CNA 5.7.6.
configs are given below
gvadc-sf01#sh run | i ip http ip http server ip http access-class 11 ip http secure-server
From my machine, i should normally have access to https running on the switch but isnt the case..
Do I need to generate a new crypto key separately for https?
Is there a way to use QuickVPN with the RV042 without leaving ports 80 and 443 wide open to Shields UP! scans? As a workaround, I am forwarding these ports to a non-existent IP and forcing QuickVPN to use port 60443. Yes, 60443 shows as open too if I scan it, but at least it's not in the first 1056 ports.
Router is Linksys-branded, using latest firmware for this hardware (1.3.13.02-tm)
I have got a TMG 2010 and i want to use Skype through it. if HTTPS inspection is enabled skype doesn't work, if it is disabled skype is working.What can i do for using Skype behind a TMG with httsp inspection so i want to use 8080 port only.I have excluded the 1 PC from HTTPS inspection or the destination URLs from HTTPS inspection.
A company with 20 branches in Rio de Janeiro area. The main servers are in a datacenter located in downtown.Each branch has a RV042 router with firmware version 1.3.12.19-tm (Feb 13 2009 13:03:21) installed.All users in this network have a proxy configuration pointing to proxy.[blah].com.br port 3128.the HTTP/HTTPS traffic should go through proxy only. [code] Some "smart" users were caught using Ultrasurf application, which changes the proxy settings to go through port 9666 or even 443.In other machines, we've found some black proxies [for example: 212.46.27.142 port 8080].
My objective:
- To close all ports in Firewall -> Access Rules section and grant permission only to some selected and specified ports.
- To redirect all HTTP/HTTPS connections to go to proxy's IP address only.
Which Access Rules can I set in these RV042s in order to block and prevent these users to continue abusing this network?The users who were caught using Ultrasurf were fired.
I have a Cisco RV042 Wired Router. I've got a static IP and a MS Small Business Server in my Router Network. I have forwarded the essential ports to use the IIS and the Exchange Server of my SBS2011 (HTTPS, HTTP, smtp, rpc). I have also created some access rules for these ports, but I don't have any access on my server services, if the firewall is activated.
Here are my Firewall Access Rules from the RV042 Web Interface:
I am doing a security assessment of an organization that uses 871/881 routers with the firewall features enabled. I see the following commands defining packet inspection done by the firewall software.
-ip inspect name inet-users tcp -ip inspect name inet-users udp -ip inspect name inet-users icmp
What I am trying to define is the inspect name "inet-users". It is obviously a constant defined by IOS as it is not defined anywhere in the configuration file like any other "variable" and does not generate an error.What does "inet-users" define? I'm assuming it is all users using the interface(s) where the inspect commands are used, but is that correct? The Cisco IOS manuals do not contain a reference to "inet-users" hence why I'm here asking.
Recent incountered an issue with our elastix pbx and packet loss. Noticed this morning that when I turn on the firewall on our RV082, packet loss begins around the level 3 servers I see in my traceroute, and then slow spread out to all hops. When I turn the firewall back off, all hops have no packet loss or less than 1%. The weird part is, previously, I had the firewall enabled, and never had this issue.
The unit is configured as internet gateway. 4 NAT ports are active. When firewall disabled all works fine. When firewall enabled I do get connection lost at random interval. In firewall only 4 rules added to the default 3 rules. The added rules are:
1/ permit 192.168.1.22 port 25 to any 2/ permit 192.168.1.27 port 25 to any 3/ permit 192.168.1.10 port 25 to any 4/ deny any port 25 to any
I do get at random times connection lost when navigating with windows explorer on a PC with IP 192.168.1.x to a share on a PC with IP 172.25.152.74. The same happens when copying files. Sometimes it works, later it fails or reties are needed. When the firewall is switched off all runs fine.
Ping from 192.168.1.x to 172.25.152.74 allways give a <1ms response
Is there a RV082 perfomance problem or do I have a configuration problem?
i have 2 rv042 with a vpn tunnel between them.the problem is that i can't access https over the VPN !if i telnet 192.168.10.1 443 through the VPN, it's not working either. if i telnet 192.168.10.1 443 in my 192.168.10.0 network it's working so it's reall the VPN tunnel the problem.
We are experiencing bridge storms and network slow downs and we believe we have traced the issue down to users plugging a cat 5/6 cable between 2 ports on the wall both wired back to a SGE2010 switch.
So we did a test - we plugged a single short cat 6 cable between 2 ports on a SGE2010, our access switch. Suprisingly, even with STP enabled, the switch DID NOT block one of the ports and in a few minutes the ENTIRE NETWORK was down, as CDP, STP, and ARP traffic became a multi-gigabit storm throughout the network.
Why on earth does this switch not block a port that is obviosly looped?
Every other cisco switch since I started on 1900XL's did this in 1999.
I recently bought my daughter a refurshed dell 17" laptop which has Windows 8 home edition on it. She also has another smaller laptop with windows 7 on it, an X-box-360 and a PS3 all connected to this RV042 Business router.
I do not have access to the firmware version of the RV042. I believe it was updated in 2011 or early 2012.
We found out that with the RV042 firewall set to ON, she is UNABLE to hit her college website with the new win 8 computer She CAN go to the college web site with the smaller win 7 computer when the firewall is off or on.
The win 8 computer will allow google searches, but when you click on any of the links, it will not load.With the win 8 computer, facebook will not load, MSN and Hotmail will not load.
Disable firewall, and most (if not all) items that did not work, magically DO work when the RV042 firewall is disabled for the win 8 laptop.
Having issues with with win 8 home edition and the RV042 firewall enabled? Is there a "simple" cure for this, other than slicking the laptop and putting win 7 on it?
I use the Service port connected to the managementVLAN to manage the WLCs. When configuring HA with AP SSO, I lost HTTPS connectivity to the WLC, telnet still works fine.I researched the deployment guide and it states:
- When AP SSO is enabled, there is no SNMP/GUI access on the service port for both the WLCs in the HA setup.Why is remote access disabled using GUI when using HA, and how can I keep management of my WLC using HTTPS and an address in the ManagementVLAN.
Replaced an older RV042 that had damage from lightning. The new RV042 is V03 with firmware 4.0.0.7. This router supports 7 branch offices using site-to-site VPN to other RV042 routers. After connecting the new RV042 at the main office, three of the branch offices had very slow response over the VPN tunnel. I disabled the firewall on the new RV042 and the problem resolved. The three branches with the problem have Windows 7 systems and the other 4 have Windows XP. I confirmed that the Windows firewall was disabled on the Windows 7 systems.I did try leaving the firewall enabled and disabling SPI, but that didn't work. Have to have firewall disabled to resolve the problem. I would not expect the firewall on the main office RV042 to affect VPN tunnel traffic, but apparently it does. Do we need specific access rules to fix the issue. It works fine with firewall disbaled, but I'd be more comfortable with it enabled.
I need to configure a new RV042 behind a SSG5 firewall. All VPN connections is client to gateway.
Firstly, i tried doing a direct connection(bypassing the firewall), the quickVpn status says connect but I can't even ping the rv. I suspect is due to client own ip is 192.168.1.x and the gateway ip is also 192.168.1.10. How do I resolve this such that users can connect anywhere without having to worry about clash of ip?
I have an RV042 which is being used as an interface to an ISP.The WAN address (public) is obtained via PPPoE.The LAN address (also public) is entered manually from an assigned block of public addresses. This is the internet gateway for other publicly-addresses devices like firewalls, VPN devices, etc.
I have an RV042 to play with as will as one in production that I can access.Because the accesses are both through public addresses, I want to use https to access the device. I've generated a number of questions as I'm not sure the behavior is understandable to me and maybe the behavior isn't even consistent.
- If the firewall is Disabled, the https setting is still available. So, presumably https will work with the firewall enabled or disabled? Is that right?
- I take it that the Remote Management setting and port number are associated with the WAN port. For example, can one set Remote Management ON with port 443 and still access via the LAN on port 80? on port 443?
- If Remote Mangement is OFF then I presume that one cannot access the device through the WAN. Yet, that seems to not be the case. I wonder if the public addresses on this device affect this?
Well, I guess we might forget about the Port number and just ponder the following - Sort of a truth table:
Remote OFF http...........WAN access: NO LAN access: YES https..........WAN access: NO LAN access: YES Remote ON http...........WAN access: YES LAN access: YES https..........WAN access: YES LAN access: YES
This is what it would seem to me to be but it doesn't seem to work that way.
if possible with the RV042.Primary External IP address uses port forwards for some ports, all okay.I would like to have other external ip addresses assigned to machines on my lan.Basic host multiple web servers, on different IP addresses, using port 80. [code]
From what i am reading, it looks like the RV042 can do this, but I am not real clear what my rules should look like.
I would think my high priority rule for each external IP address would be to deny all traffic first for each machine on the lan.Then create one entry with source 202.x.x.2 port 80 -> 192.168.168.2 ?
How should I set my rules to do this, and what settings should I have on the Nic of the second machine?
I have a new (about 4 months old) RV042 V3 4.0.0.07 firmware that I am trying to use in fail over mode. I have a SOHO and I normally use cable Internet connection. It is quite fast (15 megabit), but not super reliable. I have added DSL (3.3 megabit) which is five nines (supposedly) but not so quick.
I have a Westell 7500 wireless DSL modem located in the basement, where the telephone lines enter the building. This gives me a wireless link to the second floor server room through a wireless router that connects to WAN 2 of the RV042. The cable modem is in the server room and connects directly to the WAN 1 of the RV042. The cable works, but when it goes down, the DSL link comes up but does not allow Internet traffic. The RV042 is set up as a Bridge and I have set up port forwarding to get the cable to work and used similar firewall commands to route the traffic if the router switched over. I suspect that the problem is in the port forwarding (port 80) or the firewall rules(which are pretty simple) because everything looks like it switches over, but it just doesn't work on WAN2.
2) Allow all port 80 connections, and forward to 10.4.20.60
3) Allow all port 443 connections, and forward to 10.4.20.60
4) Allow port 22 connections from specific IP addresses, and forward to 10.4.20.60
5) After a remote client has connected using Client to Gateway VPN, allow that remote client to access anything on the LAN
I'm able to do #1-4 above, but I can't get #5 to work. Or I can get #5 to work, but can't implement the restrictions I need in #1-4. Attached are some relevant screenshots. I think the problem is that I have Forwarding rules set up that require me to have a firewall rule to Deny All Traffic from WAN1 (unless I'm specifically allowing it). In the Access Rules screenshot, rule #6 is the problem. If I enable it (thereby denying all WAN1 traffic), then VPN clinents can't access anything on the LAN. However if disable this rule, VPN clinents can access anything on the LAN, but the firewall also opens up all outside connections to SSH, since that's set up in the Forwarding rules. I would have thought that once a remote client is connected using client to gateway VPN, then that client is considered to be on the LAN, as far as the firewall is concerned. Thus a firewall rule (like #6) that is specified for WAN1 shouldn't effect remote VPN clients.
I have 2 questions to confirm and/or get direction on how to modify.
1) is there a way to get around the (seemingly arbitrary) class C (slash 24+) subnet restriction for the primary/main IP address for the internal LAN?
(I realize I can setup multiple internal subnets but that also seems to introduce restrictions for port ‘forwarding’ and ‘one-to-one NAT’ use because those features seem to be restricted to the primary/main IP subnet)
2) it seems like all traffic is passed to the host on the internal side of a ‘One-to-One NAT’ regardeless of the firewall rules in place, is that what is be expected?
We have a setup where our e-mail server is hosted in-house.Our network is connected through a RV042 gateway. Port 25 is forwarded to our internal e-mail server.Our smtp service should be limited to receiving incomming connections only from 4 specific ip ranges which I set up in the firewall rules.The reason is that all smtp is managed and protected by an external anti-spam/vires provider.
However it looks like any computer is able to connect to our port 25 and be forwarded to our e-mail server.Does portforwarding overrule firewall rules - ie. you can not limit access with the firewall if you decide to port forward?Is this a "fixable" situation - or is the RV042 not built for handling this setup?
I'm having an issue where our RV042 router is blocking some of our customers from sending us e-mails.I noticed thatCISCO has produced a newer version of the RVO42 V3.0 and has firmware version 4.x. can you upgrade the Linksys RV042 Hardware V 1.2 to the 4.x firmware? I have found a few articles and forums online about otherpeople having the same issue with the RV042 v1 randomly blocking, e-mail but no one ever has a solution to correct the issue.Some people have recommend to roll back to factory default and reconfigure the router as the config may by corrupt.
I am using an RV042 router/firewall -- firmware v1.3.13.02-tm -- connected to a cable modem.I have one public address (WAN1) assigned by my ISP's DHCP server.All my machines on the LAN have static IPs. (RV042 DHCP Server is disabled.)I have set up port (80) forwarding to 192.168.1.101 The HTTP port forwarding does work if an http client on the LAN sends a request to http://<public-ip>:80But I cannot get a response if I send a request to http://<public-ip>:80 from a machine on the WAN.
I did configure Access Rules to allow http traffic (and then tried to allow *all* traffic) between a single IP on the WAN and 192.168.1.101 The incoming log table shows a connection is made from the http client on the internet to the correct http server on the LAN, but there is no resonse from the LAN to the remote client.Is my configuration the problem, or is this feature not supported by the RV042 router? Could my cable modem be blocking outbound traffic?
If I have the IP ACL firewall enabled in my RVS4000 I have trouble connecting to specific websites and also connecting to Apple's update servers. The problem appears to be that the firewall is blocking incoming data to the ephemeral ports even when they are allowed in the firewall rules. I've also tried port forwarding rules but the only thing that resolves the problem is to disable the firewall entirely, which is not the desired resolution. The firmware version is 2.0.27.
I have a cisco asa 5505 firewall. Is it possible to block secure websites in it like [URL]? I have already tried regular expression filtering but it filters only http traffic.
I have no problem configuring both devices to successfully connect when the juniper firewall isn't in the picture. But due to policy; the RV042 at our main site must sit behind the firewall.
I've got the port forwarding setup but I'm not able to connect. I know I"m missing some configuration on the RV042 but I can't think of it! I've attached a GIF to give an example of both setups.
We have an ASA 5505. 5505 comes with two default vlans 1&2 with each of them marked as inside & outside respectively.My query is , if i do not want to use vlans on 5505 and only want to use the Ethernet ports as pure physical layer 3 ports, is it possible?i.e. i want to assign a layer 3 ip address on eth0/0 and eth0/1 and make them as the inside & outside interfaces rather than vlans. is it possible to do away with vlans in 5505 & will it work otherwise?
