Cisco Routers :: RVS4000 - Switch Status Of IPS Function / Firewall Rules Don't Work
May 3, 2012
I have problem with RVS4000 fw 1.3.3.5. When you switch the status of IPS function (turn on or turn off), firewall rules don´t work from that moment until you restart the router!
Using an rvs4000 with firmware v2.0.3.2 I am able to delete 'setup/lan/static ip mapping' entries, but I am unable to add any.After deleting an entry, hitting save (which reboots the router) and then trying to enter the same device with a different static ip address, the "add" button has no effect.
I have made a firewall rule that accepts FTP from WAN2 outside to the inside private LAN with IP address specified.But this didn't work.When I added in the forward rules that FTP had to be forwarded to this IP address it worked.I have done some testing but it seems that the firewall rules do not have any priority on the forward rule.If I disable the forward rule i cannot connect with ftp even with a firewall rule made.
I have a static IP block and need to route to various servers. I know I can use 1:1 NAT or Access Rules and have success with each. The problem is my mail server. When I use 1:1 NAT, the mail is sent from the correct IP - the address of my mail server - and there is no problem with reverse lookups. However, I cannot block any ports when I use 1:1 NAT. I have tried it every way I can think of and even some suggestions in the forums that did not work. No matter how I set access rules, all port stay open in 1:1 NAT.
If I delete the 1:1 NAT rule and use Access rules to open specific ports, the mail server sends out the mail from the WAN address. The reverse DNS does not match and mail server will bounce the mail.
I purchased a RV180 router, and would like set the Firewall Access Rules as below
- Action: Always Allow - Service: HTTP - Source IP: Any - Send to Local Server (DNAT IP): private ip (192.168.1.xx) - Use Other WAN IP Address: Enable - WAN Destination IP: one of public ip (different of the router WAN ip address) - Action: Always Allow - Service: FTP - Source IP: Any - Send to Local Server (DNAT IP): private ip (192.168.1.xx) - Use Other WAN IP Address: Enable - WAN Destination IP: one of public ip (different of the router WAN ip address)
The firewall access rules no problem within 1 hour after setting. I can access the http / ftp services by the WAN ip address. After several hours, I can't access the services.
I can set the one-to-one NAT rather than use the firewall access rules, but I would like block all other ports, and one-to-one NAT will forward all ports to the private ip address. Administrator > Logging > Firewall Logs , when I enable the settings, where can I get the log of the firewall?
I have a SRP547W that I have configured the following way:
LAN 192.168.15.1/24 VLAN1 LAN 10.10.10.1/24 VLAN10 LAN 10.10.2.1/24 VLAN100 PPPOE ADSL Software DMZ going to 10.10.10.x and another to 10.10.2.x - this is working OK
I now want to use the Advanced Firewall features to block all ports except those that I need as the software DMZ forwards everything. When I try to create the rules I get "the values are invalid" message no matter what I try.
I want to create explicit allow rules, followed by a deny all rule for each of the IP addresses used for the software DMZ
Have I got the Subnet Mask Correct for the Destination IP? Or should it be 255.255.255.0? It doesnt make a difference either way
Policy DetailsNameValueSource IP Address0.0.0.0Source Subnet Mask0.0.0.0Destination IP Address10.10.10.xDestination Subnet Mask255.255.255.254ProtocolAnySource PortAnyDestination Port443ActionPermitScheduleEverydayTimes24 Hours
I have a new (about 4 months old) RV042 V3 4.0.0.07 firmware that I am trying to use in fail over mode. I have a SOHO and I normally use cable Internet connection. It is quite fast (15 megabit), but not super reliable. I have added DSL (3.3 megabit) which is five nines (supposedly) but not so quick.
I have a Westell 7500 wireless DSL modem located in the basement, where the telephone lines enter the building. This gives me a wireless link to the second floor server room through a wireless router that connects to WAN 2 of the RV042. The cable modem is in the server room and connects directly to the WAN 1 of the RV042. The cable works, but when it goes down, the DSL link comes up but does not allow Internet traffic. The RV042 is set up as a Bridge and I have set up port forwarding to get the cable to work and used similar firewall commands to route the traffic if the router switched over. I suspect that the problem is in the port forwarding (port 80) or the firewall rules(which are pretty simple) because everything looks like it switches over, but it just doesn't work on WAN2.
I would like to isolate my wlan from the remaining network but with two exceptions. First it sould be possible to print from all devices in the wlan and second... my notebook should not be isolated
Therefore I did the followning steps:
1. Create vlan 2.Set access rules
Basically I blocked any inter-vlan-routing from the wireless vlan. I allowed all traffic from the wireless address range to the printer's ip address. I allowed all traffic from the notebook's ip address to the private vlan.
3. Set a static DHCP entry for the notebook 4. Set an IP/MAC binding entry for the notebook
For some reason I can reach any ip address from any wireless device.
I face a strange bahavior with my rv220w router : I set up access rules to deny all outbound trafic for a particular IP range. It seems to work fine .... but when I enable content filtering, HTTP access on port 80 works again (and other ports are denied). It seems that activating content filtering makes the router ignore firewall rule.
I am having some troubles finding information about how to configure firewall policies (rules, chains, etc.) via telnet on a RV016. The reason for that is that i keep getting some log entries "connection refused - policy violation" and "blocked" even with my firewall wide open (only allow rules on all interfaces, SPI and block wan request disabled, multicast and https enabled, etc.... ). Also, with these exact same rules, i can only connect via PPTP with the firewall disabled. The minute i tick the enable option the tunnel never gets to authentication phase. I then started reading OpenRG manual and many things are quite similar, but some other entries are missing from that manual (maybe some changes made by cisco?). I am trying to figure out some service ids, chains (e.g. the rv016 has some rules redirecting to chains 10, 100, 200 but i can not find them anywhere), and so on. I have only one rv016 and about 60 connections to it so i can not experiment that much without having the whole company on my neck with internet problems.
The local router is behind a fiber firewall/router; the rvs4000's ext ip is thus 192.168.1.2, not visible from the net. The firewall/router is a dyn ip, with a dyn dns name mapping to it. The remote (some NetGear thing) is also dyn dns, but it is not behind a firewall.
I want to cook a vpn from the local lan subnet to the remote lan subnet.
It worked fine when both ends were NetGear.
I think it would be ok if somehow I could thell the rvs4000 that the local Security Gateway Type be just FQDN; it can't be IP+FQDN because the remote end doesn't know anything about that kind of thing; it can do IP or FQDN or a couple other confusing things.
I have a RVS4000 and I am going to configure vlan in the near future. Among all other configurations sent by the internet provider company is this one :
Firewall NAT : from x.x.2.0/24 to 0.0.0.0/24 should be NAT from x.x.2.0/24 to x.x.0.0/21 should not be NAT
From all the other configurations, this one is not clear to me. Can this configuration be done on a RVS4000 and where can it be done.
The firewall on my RVS4000 appears to hang when ever I use Netflix. If I disable the firewall and re-enable it it works for a while and then stops again. My IP address is in the Approved Client IP Addresses so it is excluded from the URL filtering and Web reputation rules.
I am trying to access a device behind my firewall that needs to use port 9000. I have completed the single port forwarding page with the exterior and internal port but I cannot access the device from outside the firewall. Yes I did check the "enabled" box
If I have the IP ACL firewall enabled in my RVS4000 I have trouble connecting to specific websites and also connecting to Apple's update servers. The problem appears to be that the firewall is blocking incoming data to the ephemeral ports even when they are allowed in the firewall rules. I've also tried port forwarding rules but the only thing that resolves the problem is to disable the firewall entirely, which is not the desired resolution. The firmware version is 2.0.27.
I just switched houses, and when I connected my computer, modem and router I found out that I have internet on my PC which is wired, but when I try to get connected with my Laptop using the wireless funtion, it doesn't work. The laptop finds the router and gets "connected" but when I try to open a web page, it says there's an issue with my internet connection, and also something about not finding the DNS...whatever that means...as you can see..
I have noticed that on my WAG120N the WPS function doesn't work as it should (...at all). I tried connecting a blackberry, a playstation3 and 2 different laptops using the WPS option (button or PIN, doesn't matter) and the devices would simply not talk to each other. I can understand problems with the PS3 but the blackberry and the laptops were (and still are) able to connect using WPS on my previous router - WAG54G2. Pairing of the devices by supplying a password works fine, this is a problem only with the WPS functionality. My firmware is V1.00.16.
I installed a new SA540 and configured some NAT rules for my Exchange server. Everything worked fine untill I did a firmware upgrade.Now the NAT rules won't work on my dedicated WAN.On the Optional WAN (load balancing) the NAT rules work fine.
How do I submit an RFE (Request For Enhancement) to the Cisco SBR team to encourage them to implement the missing support for VLAN to VLAN firewall rules that was available in the RVS4000 (See [URL]) and that was supposedly added to a beta release of the RV220W firmware (See [URL])?
Would one of the 'Cisco RV016' work with a switch? I'm planning on running our work network using this device to load balance between 3 WAN connections and would like to keep the upstairs and downstairs computer users separated via a switch.Will the switch affect the load balancing or will the router still be able to detect each individual user and balance the load as seen necessary?
I have an issue about ACS v5.3 Appliance.I have an ACS v 5.3 wo authenticate wireless users, together with a cisco wlc. One profile is to corporate users and the second profile is to guest.
The corporate users should authenticate with Active Directory and the guest with WLC. Guest users should authenticate with the ACS Local Database. I have configurate two service selection policy that match with protocol Radius. The first rule is to users of Active Directory and the second is to users in
the Local Database of ACS.When i try to authenticate users with active directory is OK, but when try to authenticate users with Local Database (Guest Portal) the ACS try to find the
the internal user in the Active Directory, because math the first rule, and the second profile can not authenticate.When I change the order, first the Rule of internal users and second the rule of users of Active Directory, the internal users can authenticate in to ACS, but
the users in the Active Directory can not authenticate.I think my ACS only authenticate the first rule of radius to Active Directory, no two rules of radius in the same time. Or maybe exists an issue in OS of the ACS.The authentication by separately is OK.
My company has a spare 7200 VXR, originally planned to be placed on our TDM network. This plan was not followed through, but I'd like to switch it's function to work as a core router on our BGP network. I'd like for this 7200 to be able to handle full routes from our eBGP peer, something the SUP module in my 6500 isn't capable of doing. What kind of SUP module should i look at replacing this 7200 VXR with?
I am having some issues with getting DHCP Relay to fuction properly over our SG300-20 Switch.Out current layout is as follows. Hanging off the SG300-20 are a pair of Clustered Checkpoint Gateways with VLAN'ed interfaces in Both of our 2 VLANs, a 3COM 4200G In VLAN1 which has the DHCP server (And all the other Servers) connected to it, and a Pair of HP Procurve 2520's Stacked in VLAN 2 to provide PoE for our Phones/connectivity for our PCs.The problem is I cannot get the DHCP Relay to fuction from VLAN 1 to VLAN 2. If I assign an address in VLAN 2 manually to a device connected to the Procurves, everything works fine. I am able to reach both VLAN 1 and VLAN 2, but DHCP aquisition fails even if the device is connected directly to a port assigned to VLAN 2 on the SG300. The SG300 is running at Layer 3 currently also.
Here is a copy of the running config: -------------------------------------------------------------------------------------------------------------- switch4db24f#show running-config vlan database vlan 2 exit interface range gi8,gi16 switchport default-vlan tagged
I am trying to configure a Cisco SPA8000 to function as a SIP ATA behind a RV220W router. I cannot seem to get port forwarding working or otherwise allow the SIP traffic to the SPA8000. When I replace the RV220W with another router / firewall everything works fine, but when I put in the RV220W I am not able to register etc. I have been over and over the manual and "yes" I have the SIP ALG enabled. Here is my setup:
I have 2 internet connections in my office one via Verizon Fios and another one via the local cable company. On the fios connection I have an RV042 VPN router and on the Cable company connection I have an rvs4000 router, I would like to know if there is a way I can connect the 2 so I can share a printer I have on one of the 2 networks from the other network without using the VPN feature, like via an ethernet cable connected between the 2 and some kind of static route maybe?