1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Cisco RV320 ACLs not working

Discussion in 'Routers' started by mangyDOG, Sep 10, 2016.

  1. mangyDOG

    mangyDOG New Around Here

    Joined:
    Aug 28, 2008
    Messages:
    5
    Hi all,
    I was hoping to get some help configuring a Cisco RV320 router. The RV320 is at a remote location, I want to configure a port forward for remote desktop from my public static IP address through the RV320 to a server on the RV320's internal lan.

    I have setup port forwarding on the RV320 for port 3389 to 192.168.0.1 (the internal server) and this works but it opens the port to everyone on the internet.

    I created an access rule in the firewall section of the RV320 which is:

    Action = Allow
    Service = 3389
    Source interface = WAN1 (also tried the ANY option)
    Source = 123.123.123.123 (my "public" static IP address)
    Destination = 192.168.0.1 (the internal server)
    Time = always.

    I hoped this would restrict port 3389 traffic to just my IP address but it had no effect.

    I then left the firewall rule inplace and removed the port forward rule. This then blocked all port 3389 traffic to the internal server.

    My question is this: Is there anyway on a RV320 router to allow access from a single external IP address through the router to an internal address and block all other external connections?

    Thanks for any help!
    Cheers,
    mangyDOG
     
  2. Samir

    Samir Very Senior Member

    Joined:
    Apr 1, 2013
    Messages:
    613
    Location:
    HSV
    So you need to also have a Deny rule denying traffic to all other IPs. Then you have to order the rules (I forgot exactly which order) for all traffic to be denied except your one allow rule. Hope this helps! Post back with any updates. :)
     
  3. mangyDOG

    mangyDOG New Around Here

    Joined:
    Aug 28, 2008
    Messages:
    5
    :eek: it works! The cisco firewall rules are nuts! Thanks Samir!

    I never considered doing this because the access rules page has a default rule to Deny all traffic from WAN1 to any destination. It appears that even though the default rules are listed they have no effect on the port forwarding rules, previously I have used Netgear routers where you had to enable port forwarding and then enable a single allow rule in the firewall. With the cisco you have to manually create both an allow rule and a deny rule:

    Priority 1, Allow, 3389, WAN1, source=123.123.123.123, destination=192.168.0.1, always
    Priority 2, Deny, 3389, WAN2, source=any, destination=192.168.0.1, always.

    Many Thanks,
    Cheers,
    mangyDOG.
     
  4. Samir

    Samir Very Senior Member

    Joined:
    Apr 1, 2013
    Messages:
    613
    Location:
    HSV
    Sweet! Glad it worked for you. :)