Cisco RV220w donot allow inbound traffice to any external VPN

Similar Messages

• Cisco RV042 Firewall Blocking LAN Traffic

  Hello Everyone,
  I currently have an RV042G with a downstream SG-300 connected to one of the LAN interfaces.  Connected to the SG-300 are a couple servers running ESXi.  Intervlan routing is working fine on the current setup; however, I only able to connect to my ESXi hosts on a separate VLAN for approximately a minute before the connection is dropped.  I have concluded that the firewall seems to be culprit in blocking my traffic.  If I turn the firewall off, everything acts as expected.  There is a default "ANY/ANY" rule for LAN traffic enabled and I have added a couple extras allowing all traffic for IP ranges, but I still seem to be losing my connections.  To make matters more confusing, I can see ACCESS_RULE events in the firewall logs permitting the traffic (or so I'm interpretting).
  Regardless, here's how my rules currently stand below.  I put another ANY/ANY rule in because the default didn't seem to be working -- I immediately was able to ping other hosts on different VLANs after adding the rule.  I was under the assumption allowing all traffic from any source to any destination would make the LAN pretty accessible.  I would appreciate any guidance or resources on this topic to set up some quick firewall rules to get things up and running.  Thanks in advance.
  Priority
  Enable
  Action
  Service
  Source
  Interface
  Source
  Destination
  Time
  Day
  Delete
  123
  Allow
  All Traffic [1]
  LAN
  10.10.21.1 ~ 10.10.21.31
  10.10.10.10 ~ 10.10.10.10
  Always
  123
  Allow
  All Traffic [1]
  LAN
  10.10.10.10 ~ 10.10.10.10
  10.10.21.1 ~ 10.10.21.31
  Always
  123
  Allow
  All Traffic [1]
  LAN
  Any
  Any
  Always
  Allow
  All Traffic [1]
  LAN
  Any
  Any
  Always
  Deny
  All Traffic [1]
  WAN1
  Any
  Any
  Always
  Deny
  All Traffic [1]
  WAN2
  Any
  Any
  Always

  I guess I should clarify, the SG-300 is running in Layer 3 mode, and the VLANs are defined on it; however, the static routes are defined on the RV042.  Maybe there's a more efficient way of doing this? 
  Below is a scrubbed copy of my switch configuration. 
  config-file-header
  SWITCH01
  v1.3.5.58 / R750_NIK_1_35_647_358
  CLI v1.0
  set system mode router
  vlan database
  vlan 2
  exit
  no bonjour enable
  hostname SWITCH01
  no logging console
  ip ssh server
  ip ssh password-auth
  clock timezone CEST +1
  interface vlan 1
  ip address 10.10.10.2 255.255.255.0
  no ip address dhcp
  interface vlan 2
  name VIRTUAL-MANAGEMENT
  ip address 10.10.21.1 255.255.255.224
  interface gigabitethernet1
  description ESXI01:VMNIC0:MGMT
  switchport trunk allowed vlan add 2
  interface gigabitethernet20
  description UPLINK
  exit
  ip route 0.0.0.0 /0 10.10.10.1 metric 15
  The routes I have defined is:
  Destination IP
  Subnet Mask
  Default Gateway
  Hop Count
  Interface
  10.10.21.0
  255.255.255.224
  10.10.10.2
  1
  eth0
  10.10.10.0
  255.255.255.0
  0
  eth0
  255.255.252.0
  0
  eth1
  239.0.0.0
  255.0.0.0
  0
  eth0
  default
  0.0.0.0
  40
  eth1
  Just to reiterate the problem, I am able to connect to hosts on VLAN 2 from my computer on VLAN 1, but I am disconnected a minute or so later.  When the firewall is disabled, I have no issues with connecting to the host across VLANs and maintaining that connection.  Maybe I have a misconfiguration somewhere that is causing some issues?  I appreciate the help. 

• RV016 Router Allow All Traffic For Outside IP

  Hi,
  I need to configure the firewall to allow all traffice for an IP address of a sever. What steps in the router do i need to configure this? This is a cloud based voip server and we have IP phones and we need to add an IP address of the phone server to allow all traffic for that IP.
  thanks.

  Hi Jonathan,
  I have a similar problem with VOIP traffic being dropped by my new RV016 v3 router.
  I have created one Firewall Rule, to allow ALL traffic from the external VOIP PBX provider (single IP) to connect to the internal VOIP phones, which have assigned addresses in a small IP Address range (eg. 10.1.2.50 - 10.1.2.59)
  The Aastra VOIP phones continually loose their  registration wtih the cloud-based PBX. If you make an outgoing call, it will work, but the PBX will lose connection with the phone, 3 or 4 minutes after you hang up,  and will mark it as offline. Incoming calls made within the 3 or 4 minutes will get through, but after that they go right to voicemail on the PBX system.
  We used to have an RV016 v2 router and VOIP traffic worked  OK,  with a similar Firewall Rule.  We replaced the v2 router  because its CPU crashed. 
  I tested the VOIP traffic with a WRT160 router with minimal Firewall Rules, and it works OK, as long as SIP-ALG is turned Off.   We want to use the RV016 because it provides a larger number of ports for our LAN.
  Any suggestions ?
  Kirk

• Unable to allow traffic from remote office - Cisco RV220W

  Hi there,
  I have just bought the RV220W Cisco router firewall because my DLINK-1600 got broken and now I am unable to allow access to the machines located behind this router from the machines located at a remote office. Any help would be much appreciated!!
  This is the situation:
  1. Two remote offices A and B connected by a VPN tunnel (this connection is managed by an external provider and it is properly functioning)
  2. IP range A office: 192.168.236.0/24
  3. IP range B office: 192.168.237.0/24
  4. Office A: CISCO RV220W router/firewall (the one that I´ve just bought as the old dlink has broken). This RV220W is connected to a cisco router (managed by provider) that is the one with the VPN tunnel to the other office. The CISCO router does not do NAT. On the other end (Office B) there is another CISCO router managed by the provider.
  5. Everything was working smoothly until our old router/firewall got broken and that is when I bought the rv220w. I have set up the CISCO RV220W at office A and the machines can ping the machines located at office B and can browse the internet, i.e., the traffic going out is OK and in that sense everything works smoothly.
  6. The problem is that the machines located at office B cannot access the machines located behind the CISCO RV220W and I know it is a problem of the firewall as if I capture traffic coming from office B, I can see that it is dropped by the CISCO RV220W.
  7. I have tried to enable an access rule in the firewall to allow traffic from office B (see picture below) but it does not seem to work. In the field, Send to Local Server (DNAT IP) I have entered the WAN IP of my router (you cannot leave it blank) … this rule does not work at all. I think that is not properly configured but I don´t know how to do it.
  8. As you see, the problem is that I don´t know how to set up a rule to allow specific traffic coming from the WAN (traffic from remote office – 192.168.237.0/24) to the LAN at office A - 192.168.236.0/24.
  In the old router/firewall I just had to create a rule specifying the source interface (WAN) and network (Office B) and the destination interdace (LANOfficeA) and network (Office A). It does not seem that here I can do the same. i mean, you always have to point to a server ip inside the LAN??
  I know it has to be a very easy thing to do but at this moment I am completely stuck. If anyone can give me some advice would be great.
  Thanks a lot for your help in advanced!
  Eva

  Hi Eva, the default inbound policy cannot be changed. It will block all inbound traffic. To my knowledge there is not a way around this. Access rules are the only way to 'poke' a hole through the firewall but as you note, it is for a specific host. Values such as .0 and .255 do not work.
  -Tom
  Please mark answered for helpful posts

• Howto allow all inbound traffic on 678?

  I have a 501 behind a 678 (CBOS 2.4.6) The 678 does not allow inbound connection by default. How can I config the 678 to simply terminate the ADSL and allow all traffic both in and out, so that I can let the 501 do all the access control?

  Try:
  http://www.cisco.com/en/US/products/sw/netmgtsw/ps528/products_user_guide_book09186a008007ce34.html
  http://www.cisco.com/en/US/products/sw/netmgtsw/ps528/prod_release_note09186a00800eac45.html

• Cisco Ace asymetric routing - DNS traffic

  Hi,
  I am wondering if Ace supports asymetric routing.
  In my setup Ace is connected to router with two transit L3 interface. Interface on the router side belongs to different VRFs (e.g. VRF-A & VRF-B). Router is running MPLS in order to connect to internet-border gateway router then to internet.
  Now issue is Ace got the default route with the next hop as the router's interface in VRF-A. However the server's subnet (SVI on Ace) is advertised on router in VRF-B.
  So the outbound traffic(DNS query) from servers to internet takes the default route with next hop of router's int in VRF-A and inbound traffic (DNS response) comes back via MPLS using the VRF-B. That is because server's subnet is just advertised in VRF-B so remote internet broder-gateway will see the server's subnet with route-target applied to it in VRF-B.
  When I enabled the reverse-path forwarding on the transit interface I could clearly see in the Ace logs that DNS response is getting dropped on the ace. I have evn removed the reverse-path forwarding(nothing in the logs - but DNS response from internet still cant reach the servers). I think logically its still asymetrical routing from Ace's point of view but not sure.
  Please can anyone confirm the solution to this issue. I am thinking if I advertise server's subnet in VRF-A as well then it will be symterical routing but not 100% sure if it will fix it.
  So just wondering if there are any other options advisable ?
  Thanks

  Is it not possible to have a host route added to the destination server ? This would allow the traffic to be routed back the same way it came and thus the connection work ?
  Try adding a static route onto the destination server along the lines of ...
  route add [source address of server] mask 255.255.255.255 [IP address of ACE interface]
  This would cause the traffic to be routed between the two hosts via the ACE module which is good because the ACE is acting as a router between the two network segments.
  That's just what I would do but I understand that it may not be the option you want.
  Good luck

• Openswan client/Cisco RV220W not connecting

  I am attempting to connect a laptop with an openswan client (Openswan IPsec U2.6.28/K3.0.0-12-generic) with my Cisco RV220W. My connection fails, and the VPN status log shows the following:
  2011-12-06 15:04:59: [rv220w][IKE] INFO:  Configuration found for 108.58.YY.YY[500].
  2011-12-06 15:04:59: [rv220w][IKE] INFO:  Received request for new phase 1 negotiation: 108.58.XX.XX[500]<=>108.58.YY.YY[500]
  2011-12-06 15:04:59: [rv220w][IKE] INFO:  Beginning Identity Protection mode.
  2011-12-06 15:04:59: [rv220w][IKE] INFO:  Received unknown Vendor ID
  2011-12-06 15:04:59: [rv220w][IKE] INFO:  Received Vendor ID: DPD
  2011-12-06 15:04:59: [rv220w][IKE] ERROR:  Ignore information because the message has no hash payload.
  2011-12-06 15:05:09: [rv220w][IKE] ERROR:  Ignore information because the message has no hash payload.
  2011-12-06 15:05:11: [rv220w][IKE] ERROR:  Phase 1 negotiation failed due to time up for 108.58.YY.YY[500]. c2e6f14d16bef607:02dbd105dcc0b299
  2011-12-06 15:05:19: [rv220w][IKE] ERROR:  Ignore information because the message has no hash payload.
  2011-12-06 15:05:29: [rv220w][IKE] ERROR:  Ignore information because the message has no hash payload.
  2011-12-06 15:05:39: [rv220w][IKE] ERROR:  Ignore information because the message has no hash payload.
  2011-12-06 15:05:49: [rv220w][IKE] ERROR:  Ignore information because the message has no hash payload.
  2011-12-06 15:05:59: [rv220w][IKE] ERROR:  Phase 1 negotiation failed due to time up for 108.58.YY.YY[500]. 5646ff766f579fb0:b221f323a56ba913
  My configuration on the RV220W is as follows:
  VPN Policy:
  Auto Policy
  Remote endpoint is an IP address with 108.58.YY.YY
  Local traffic is a subnet
  Remote traffic is a single IP (same as above)
  Encryption/hash settings are: 3DES, SHA1, no PFS key group, SA lifetime of 3600
  IKE Policy:
  Responder
  Main mode
  Local and Remote use explicit IP addresses
  3des,sha1,pre-shared key,DH group 2,lifetime of 28800,no dead peer detection,no xauth
  On the client, I have the following openswan configuration:
  # /etc/ipsec.conf - Openswan IPsec configuration file
  # This file:  /usr/share/doc/openswan/ipsec.
  conf-sample
  # Manual:     ipsec.conf.5
  version    2.0    # conforms to second version of ipsec.conf specification
  # basic configuration
  config setup
      # Do not set debug options to debug configuration issues!
      # plutodebug / klipsdebug = "all", "none" or a combation from below:
      # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
       # eg:
      # plutodebug="control parsing"
      # enable to get logs per-peer
      # plutoopts="--perpeerlog"
      # Again: only enable plutodebug or klipsdebug when asked by a developer
      # NAT-TRAVERSAL support, see README.NAT-Traversal
      nat_traversal=no
      # exclude networks used on server side by adding %v4:!a.b.c.0/24
      virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
       # OE is now off by default. Uncomment and change to on, to enable.
      oe=off
      # which IPsec stack to use. auto will try netkey, then klips then mast
      interfaces=%defaultroute
      plutodebug=all
      protostack=netkey
  # Add connections here
  conn L2TP-PSK
       # Use a pre-shared key.
        # Connection type _must_ be transport mode
       authby=secret
       keyingtries=3
       type=transport
       # "left" is the local linux machine
       left=%defaultroute
       leftprotoport=17/1701
        # "right" is the remote server
       right=108.58.XX.XX
       rightprotoport=17/1701
       # Do not install on startup
       auto=add
       # SA settings
        ike=3des-sha1-modp1024
       esp=3des-sha1
       keyexchange=ike
       pfs=no
  I would appreciate any insights into what might be going wrong here.

  Were you able to find a solution to your issue.   I am having a Similar issue connecting to a ASA 5510.
  Thanks!

• Inbound traffic alert (ESET) - Application: System

  I have a MacBook Pro (Retina, 15-inch, Mid 2014) running OS X Yosemite 10.10.2
  I have installed ESET Cyber Security Pro a while ago, and an inbound traffic alert just popped up. "A remote computer is attempting to communicate with an application running on this computer. Do you wish to allow this communication?"
  The application involved is "System", local port is TCP 8770. The remote computer is fe80::4c8d:97ff:feb4:5d8d, remote port is 56398.
  I am still new to Mac, and therefore I'm not sure if I should allow or block. I thought that it might be system updates, but not too sure about that so I'd rather wait for an answer before proceeding.

  Port 8770 is used for the Digital Photo Access Protocol, which in the case of a Mac means sharing of photos. I'm not sure exactly how this port is used in Yosemite, but you can bet this is just another Mac or iOS device on your local network querying your Mac to see if it is sharing any photos. It is very unlikely that you have a network configuration that would even allow a truly "remote" computer to connect to yours over the internet.
  ESET is wasting your time here. Uninstall it, and see my Mac Malware Guide for more information about protecting yourself from malware.
  (Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com.)

• Allow DNS Traffic

  Hi!
  We need to allow DNS Traffic from Lan to Wan network for our internal LAN Users through Cisco Router. May we have the lines to add in the router and do we need anything else to apply this access-list?
  Thanks.

  access-list 101 extended permit tcp net_lan sub net_wan sub eq 53
  access-list 101 extended permit udp net_lan sub net_wan sub eq 53
  access-list 101 extended deny any any
  interface Serial 0/0
   ip access-group 101 out
  N.B. That access-list is only for permit traffic for DNS protocol. All traffic except DNS will be deny  

• Allow IPSEC traffic thru 871?

  I am using Cisco 871's with Advanced IP Sec IOS for remote offices. I need to allow IPSEC traffic to pass thru the 871 to establish a client IPSEC tunnel. The client VPN software is Nortel's Contivity VPN.
  How can I allow IPSEC traffic to pass thru the 871?

  If you are initiating vpn client connectivity from behind the 871 to outside you need to allow through the IPsec ports udp 500, udp 4500 and protocol 50 esp. I don't know Nortel's vpn client but Im sure they follow the Ipsec security standards.
  try this on your 871 router.
  access-list 101 permit udp any any eq 500 log
  access-list 101 permit udp any any eq 4500 log
  access-list 101 permit esp any any log
  apply acl-101 to your outbound interface
  access-group 101 in
  HTH
  Jorge

• Connect ShrewSoft vpn client to Cisco RV220W

  Hi ,
  I can't get QuickVPN work with Cisco RV220W router, so configured ShrewSoft vpn client
  to connect to router with xauth advanced vpn configuration. It established tunnel , but no any ping is working from client to office computers or even
  to router IP (gateway) . What is wrong with my setup ?
  "Basic VPN Setup" doesn't allow me to save new "VPN client" : it throws strange error "IPsec VPN configuration
  has failed as the remote end point is already in use" .
  I attached example of xauth advanced vpn configuration
  Thanks
  Alex

  Hi Luis ,
  I did many checks on different Windows XP/7 through different ISP's of QuickVPN , according a lot of Cisco and community documents with same negative result , that it can't ping remote gateway .
  QuickVPN requires so many things to configure and check , that turns it to be impossible for use in company.
  I wanted to configure client-to-gateway VPN with IPsec xauth , that is supported by Cisco Small Business routers.
  Finally i configured client-to-gateway IPsec remote connection using both ShrewSoft and TheGreenBow 3d party VPN application. It was just matter to turn local host (VPN client) adapter mode to virtual with static IP address in subnet , different from remote (gateway) subnet.
  Thanks
  Alexey

• Cisco RV220W dual band wifi?

  Hello,
  Cisco RV220W works in 2.4GHz or 5GHz.
  There is any plan to support these bands simultaneously?
  Regards,
  Viorel

  The simultaneous dual-band feature will have to be found on a new product.
  FCC will not allow adding this capability using firmware upgrade.

• Anyone using the Cisco RV220W instead of the HH3?

  Hi there,
  Has anyone had any experience good or bad of the Cisco RV220W router in place of the Home Hub?
  It supports PPPoe so on paper should work.
  I'm after a router that has wireless, can do VPN (IPSEC & PPTP) and dynamic DNS.
  Thanks in advance,
  Bill

  Haven't used that router but as you say it supports PPPoE then it will work without any problems.
  I've tested several different makes of router and not had a problem.

• RV110W Blocks all inbound traffic

  I have a RV110W that's been in service since Dec 2012. All Everything is working fine except every month or so the firewall starts blocking all inbound traffic. It does not respond to remote management access. If I reboot the firewall (pwr off/on) everything works correctly for the next month or so and then it begins blocking all inbound traffic again. Local access to the Internet and VPN tunneling are not affected. When it's working, all my rules and port forwarding work correctly. Anybody seen this before?

  Hi David,
  Please call the Small Business Support Center and speak with an engineer. The phone numbers for the support center is located here: https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
  Regards,
  Cindy Toy
  Cisco Small Business Community Manager
  for Cisco Small Business Products
  www.cisco.com/go/smallbizsupport
  twitter: CiscoSBsupport

• Inbound Traffic Blocked

  I am running VPN Client Version 5.0.00.0340. I have internal and external nics on the server. Once I have the tunnel established (inside internal nic) I seem to be dropping the inbound packets between the external and internal nics. Any suggestions?

  Well no - not really. The VPN client will establish the connection to the remote end using the local routing table it has. From that point onwards - that is the terminating IP address of the vpn session. From the machine itself mit should be assigned an IP address from the remote VPN server - this IP address will be used the recevie and send encrypted traffic from the central end.
  If you have an internal NIC in the server you also have the VPN client on....do you want to send traffic from your LAN thu the VPN client to the remote end? If so - the external & internal NIC's must be on the same IP subnet. As the remote VPN client cannot be used as a pass thru devices from 2 different subnets....unless you perform NAT on the device with the VPN client.....if you are doing that - you may as well just by a firewall or router!
  HTH.