RV220W - port redirection/access rules with multiple WAN IPs

I've just installed a Cisco RV220W - which works fine for outbound traffic, however for inbound it seems unable to work with multiple WAN IPs.
We have a block of 6 WAN IPs assigned to us by our ISP, and I want to make use of all of them to expose certain ports on our servers to the outside world.
I've tried to do this with Access Rules (using HTTP as an example) with the following settings:
Connection Type: Inbound (WAN (Internet) > LAN (Local Network))
Action: Always Allow
Service: HTTP
Source IP: Single Address
Start: <one of the WAN IPs>
Send to Local Server (DNAT IP): <IP of the internal server>
Use Other WAN (Internet) IP Address: disabled
Rule Status: Enabled
Yet the server/port remains inaccessible.
I've tried:
rebooting the server with a power off/on again
implementing the same settings in port forwarding
triple-checking all IP addresses being used
The only way I've got it working is by changing the access rule so that it applies to any source address rather than one specific one...  however that's not a solution for us as we need to use specific IP addresses for specific internal servers/ports.
The router's admin interface certainly suggests this should be possible, however making use of it seems to break all incoming access!
Any suggestions welcome.

You should be using "ANY" as the source IP, as you are publishing your internal server to the internet and internet means the request comes from any source IP (you don't know what it is, so it will be any.
Basically, you want any source IP to hit one of your WAN IPs on port 80, and then your firewall will redirect that request to the internal server's private IP address on same port 80. And when the response comes back from the internal server, the firewall will already have this translate entry in it so the reverse NAT will happen (you don't need configure this, it is default firewall feature).
I hope I have answered your question well.
Please mark as correct if you like the response.
Thanks

Similar Messages

  • SRP547W, How to use multiple WAN IPs for port forwarding?

    Hi folks,
    We've run into some difficulty trying to take advantage of multiple WAN IPs in conjunction with the SRP547, and I'm hoping someone here can help out or at least tell us that we're going to need to buy a different router...
    What we're trying to acheive is the ability to port forward from our distinct public IPs to different internal servers. Looking at the options under Port Forwarding it looks like we can only configure forwards at the "WAN interface" level, but our problem is that we can't work out how to set up separate interfaces for each of our Public IPs...
    Our ISP provides us with a fully managed NTU/router with a single "Internet" ethernet port, which we can use by statically configuring IPs on our end. For this configuration this port has been directly patched to the WAN ethernet port on the SRP547W.
    We have been allocated a 255.255.255.248 (/29) subnet, giving us 5 usable IPs after the ISP's gateway address is taken into account, like so:
    a.b.c.208     Network Address (/29 subnet)
    a.b.c.209     ISP Gateway
    a.b.c.210     IP1
    a.b.c.211     IP2
    a.b.c.212     IP3
    a.b.c.213     IP4
    a.b.c.214     IP5
    a.b.c.215     Broadcast Address
    On the SRP we've set up the default "Ethernet WAN2" sub-interface with the following details for IP1
    VLAN ID:               4088 (Uneditable)
    Connection Type:       Static IP
    Internet IP Address:   a.b.c.210
    Subnet Mask:           255.255.255.248
    Default Gateway:       a.b.c.209
    The next step (I would have thought) would be to add a second sub-interface, using similar info for IP2
    VLAN ID:               4000 (Chosen arbitrarily)
    Connection Type:       Static IP
    Internet IP Address:   a.b.c.211
    Subnet Mask:           255.255.255.248
    Default Gateway:       a.b.c.209
    When we try to do so however we get:
    Fail!
    Conflict with Ether_WAN2 interface address type
    I should mention at this point that we're running on firmware version 1.02.01 (023).
    Any suggestions on how we can proceed?
    Is there a CLI or other method of configuration that might work if the web interface won't?
    Thanks,
    Tim.

    OK, I've seen reference to this solution before but not much in the way of details. Perhaps you can spell out how this ought to work, as the Software DMZ doesn't behave as I'd expected it to.
    As before, on the SRP we've set up the default "Ethernet WAN2" sub-interface with the details for IP1 with a /29 subnet.
    VLAN ID:               4088 (Uneditable)
    Connection Type:       Static IP
    Internet IP Address:   a.b.c.210
    Subnet Mask:           255.255.255.248
    Default Gateway:       a.b.c.209
    We'd now like to expose a server function on IP2, let's say LAN details for this server are:
    VLAN:                  3000
    VLAN IP Range:         192.168.1.1/24
    Server IP:             192.168.1.10
    Server Port:           80
    So first we turn on Software DMZ:
    Status:                Enabled
    Public IP:             a.b.c.211
    Private IP:            192.168.1.10
    WAN Interface:         Ether_WAN2
    My understanding, based on what you've said, is that this should expose the whole server to external access via IP2. Unfortunately, it doesn't seem to work this way - we don't seem to have any access at all. Perhaps there's a default deny rule on the firewall?
    Just to be sure, I tried creating a rule to allow HTTP traffic to the server in the Advanced Firewall page.
    In Interface (WAN):    All
    Out Interface (LAN):   VLAN.3000
    Source IP:             0.0.0.0
    Source Subnet:         0.0.0.0
    Destination IP:        192.168.1.10
    Destination Subnet:    255.255.255.255
    Protocol:              TCP
    Source Port:           Any
    Destination Port:      Single:80
    Action:                Permit
    Schedule:              Everyday
    Times:                 24 Hours
    Still no dice. What am I missing?
    Cheers,
    Tim.

  • RV042 router multiple WAN IPS assigned to different LAN IPs range

    I would like to have multiple WAN IPS and assigned them to different LAN IPs. If i used the option One-to-One NAT its give me only the LAN IP 192.168.1.xxx . There is an option to specify more than one LAN IPs but its not possible to forward ports to these extra LAN IPS or to setup rules.
    Is there anyway to mange this with this router. IF not what is router that will meet my requirements?

    Andreas,
    Unfortunately what your wanting to do will not work with the rv042.  It will only allow the one to one nat rules to be applied to the default lan subnet.
    You will have to use the sa500 series router which will let you do ip aliases to different lan subnet addresses.

  • Extended access list with multiple ports

    Hello All,
    I have a problem with my Cisco Catalyst 4503-E when i try to configure an extended access lists with multipleports.
    I receive the following message:
    The informations of my Switch are the following:
    Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASE-M), Version
    12.2(52)SG, RELEASE SOFTWARE (fc1)
    Please help me to resolve this problem.
    Best regards.

    Thank you Alex for your response.
    Yes, this is an example:
    permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
    I have more ACLs and each ACL contains more conditions with multiples Por

  • Access list with multiple object groups

    Hello Everyone,
    I am using a cisco ASA 5525 with 8.6 code.  I am trying to setup access list for oubound access meaning hosts accessing the internet.  I have created an access list called outbound_access and did "access-groupc outbound_access in interface inside "
    I am trying to use object-groups where ever i can.  Here is an example.
    object-group service obj_Meraki_outbound
    service-object tcp destination eq 443
    service-object tcp destination eq 80
    service-object tcp destination eq 7734
    service-object tcp destination eq 7752
    service-object udp destination eq 7351
    object-group network obj_Meraki_lan
    network-object 10.2.11.0 255.255.255.240
    network-object 10.5.11.0 255.255.225.240
    object-group network obj_Meraki_pub
    des This group lists all hosts associated with Meraki. 
      network-object host 64.156.192.154
      network-object host 64.62.142.12
      network-object host 64.62.142.2
      network-object host 74.50.51.16
      network-object host 74.50.56.218
    object-group service obj_Meraki_outbound
    service-object tcp destination eq 443
    service-object tcp destination eq 80
    service-object tcp destination eq 7734
    service-object tcp destination eq 7752
    service-object udp destination eq 7351
    object-group network obj_Meraki_lan
    network-object 10.x.x.x 255.255.255.240
    network-object 10.x.x.x 255.255.225.240
    object-group network obj_Meraki_pub
    des This group lists all hosts associated with Meraki. 
      network-object host 64.156.192.154
      network-object host 64.62.142.12
      network-object host 64.62.142.2
      network-object host 74.50.51.16
      network-object host 74.50.56.218
    I have tried tying all these groups together in multiple ways but cannot figure out how to do this.  This what i think it should be "access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub"
    What i want is the use the service objects and the source network would be obj_Meraki_lan and destination would be obj_Meraki_pub.   It seems the rules completely change when you use object groups.  Can someone explain this maybe with a few examples.  I am already using object groups in many acls but not for every element.
    Thanks

    Hi,
    Seems to work on my test ASA
    Attached it to my current LAN interface.
    ASA(config)# packet-tracer input LAN tcp 10.2.11.1 12345 64.156.192.154 80
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         WAN
    Phase: 2
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group outbound_access in interface LAN
    access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub
    object-group service obj_Meraki_outbound
    service-object tcp destination eq https
    service-object tcp destination eq www
    service-object tcp destination eq 7734
    service-object tcp destination eq 7752
    service-object udp destination eq 7351
    object-group network obj_Meraki_lan
    network-object 10.2.11.0 255.255.255.240
    network-object 10.5.11.0 255.255.255.240
    object-group network obj_Meraki_pub
    description: This group lists all hosts associated with Meraki.
    network-object host 64.156.192.154
    network-object host 64.62.142.12
    network-object host 64.62.142.2
    network-object host 74.50.51.16
    network-object host 74.50.56.218
    Additional Information:
    access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq www (hitcnt=1) 0x4d812691
    Also have used such configuration in some special cases where the customer has insisted on allow specific TCP/UDP ports between multiple networks. And nothing is stopping from adding ICMP into the "object-group service" also.
    - Jouni

  • Single access point with multiple ssids and single channel possible?

    Hi everybody.
    I have this silly question.
    Let say we have three vlans, vlan1,2,3  and they are mapped to wlans as follows:
    Vlan 1  ssid1
    Vlan 2 ssid2
    Vlan3 ssid 3
                      AP --------trunk------Switchted network.
    Our Ap  has mobile devices in three wlans, i.e ssid1ssid2 and ssid3
    Since AP uses half duplex mode,  mobile devices need positive ack from ap  before they can send data,  therefore once channel let say channel 3( assuming 802.11b is used) can be shared by all mobile devices in three wlans.  
    Is  my understanding correct?
    Thanks and have a great weekend.

    Hii ,
    Yes ,that is pretty much possible as suggested by other experts on board. Depending on your access point you will have 1 (2.4 GHz) or  both 2.4 & 5GHz radios.
    You can configure multiple SSIDs (up to 16 ) known as MBSSID mode in autonomous environment. In Controller based architecture you can configure up to 512 WLAN (SSID) and transmit any 16 of them per AP (using AP group feature). However , it is recommended to keep multiple SSID count below 8 as for each SSID separate beacon will be sent on air which consumes more air time.
    Hope this helps
    Thanks
    Vinay

  • Applescript Creating a graphic rule with multiple anchors

    What is the syntax for creating a rule such as you would create with the pen tool in CS2/CS3?
    I am trying to place a rule around a group of graphic cboxees. I have the anchors for the rule, determined by examining the bounds of the rectangles, but I can't determine the syntax to create the rule.
    I'd think something like:
    tell application "Adobe InDesign CS2"
    tell document 1
    tell page 1
    make graphic line at beginning with properties {label:"ruleout", stroke color:"Black", stroke weight:2, entire path:{20, 20, 80, 80, 100, 100, 150, 150}}
    where the anchors are y,x in the entire path property. I've been trying to get the properties of a line I did create with the pen tool, but can't find the anchors buried anywhere within the properties.
    Anyone have a tip?

    Hi Tom,
    The entire path property is a property of a path, not of a graphic line (or other page item). What you want is probably more like this:
    set myGraphicLine to make graphic line with properties {label:"ruleout", stroke color:"Black", stroke weight:2}
    set entire path of path 1 of myGraphicLine to {{20, 20}, {80, 80}, {100, 100}, {150, 150}}
    Note that myGraphicLine is now a polygon (because it has more than two points).
    Thanks,
    Ole

  • Guest Access Certificates with Multiple Controllers

    So I have an interesting scenario to run by the group, I haven't done this but was wondering if anyone else had tried it.
    Scenario: is 5 WLC's running 6.0.188.0, One guest SSID, and One H-REAP guest SSID.
    WLC#1: SNMP Name is WLC01, Virtual Interface DNS Name is GWLC.somewhere.com, Virtual Interface IP is 1.1.1.1
    WLC#2: SNMP Name is WLC02, Virtual Interface DNS Name is GWLC.somewhere.com, Virtual Interface IP is 1.1.1.1
    WLC#3: SNMP Name is WLC03, Virtual Interface DNS Name is GWLC.somewhere.com, Virtual Interface IP is 1.1.1.1
    WLC#4: SNMP Name is WLC04, Virtual Interface DNS Name is GWLC.somewhere.com, Virtual Interface IP is 1.1.1.1
    WLC#5: SNMP Name is WLCDMZ, Virtual Interface DNS Name is GWLC.somewhere.com, Virtual Interface IP is 1.1.1.1
    So part 1 of my question is does the above configuration cause any issues with the controllers?
    Part 2 of my question is can you request a single SSL certificate for the hostname GWLC.somewhere.com and install it on all the controllers?
    The reason for having the certificate on all the controllers is because of the H-REAP Locally Switched SSID.
    Anyone have experience with this, input, thoughts?
    Thanks.

    I too have seen numerous cases on this.
    Bottom line is that as long as your HREAP Guests can resolve GWLC.somewhere.com through DNS (as 1.1.1.1), then this should work.

  • Accessing library with multiple users?

    Hi,
    I want to set up separate log in accounts for myself, my wife and my son. I am the Administrator. How do I link my wife and son's iTunes to my music folder so that I don't have multiple copies of the same songs on my HD?
    Thanks,
    kevin

    I have successfully shared the iTunes music library across users on my iMac but the other two users can't rip a CD or download from the iTunes music store. Only I can do that on my log in. How do I give them permission to rip and download?

  • Accessing ITunes with Multiple Users

    After reading all the threads, I was feeling pretty pleased with myself that I moved my library from an old PC to my new IMac and was able to play all of my songs. My stumbling block is that I can't figure out how to listen to the songs when other family members are logged in under their id. I loaded everything in my Music folder under my user id.
    Any suggestions?

    Do you mean when they are logged onto the same computer at the same time as you?
    Can't do it.

  • [solved] Arch linux access point with multiple interfaces for the NAT

    Hi, I have a router running Arch linux. It is connected via LAN (let's call it eth0) to the internet. It has a second LAN interface, eth1, and a wireless interface in master mode, wlan0.
    Now, Everything works perfectly except providing network connectivity on eth1 and wlan0 simultaneously. I followed the guide in the "Internet share" wiki article and use dnsmasq/hostapd for the AP. It appears as if all traffic from the router is sent to the wlan0 interface, even if it came in through eth1 (for example, dhcp requests). I cannot really find information how to solve this. The words "bonding" and "iptables" are floating around, but there is not really an easy to understand tutorial for this.
    What do I need to do to use both the eth1 and wlan0 interface (for different clients!) on my router?
    Best regards, and thank you in advance
    Jan Oliver
    /e: This seems to be my problem: http://www.novell.com/support/kb/doc.php?id=7000318 How do I solve this using the usual iptables? (The way described in the article doesn't work: "RTNETLINK answers: No such process" errors.)
    Last edited by janoliver (2013-09-25 22:24:53)

    Or you could bridge eth1 and wlan0, and make dnsmasq bind/listen on that bridge...

  • How can I use Apple Caching Service on a Network with Multiple Public IPs?

    Hello!
    I help manage a network of ~4000 clients for a small liberal arts college in Michigan. I'm looking into the possibility of implimenting Apple Caching Server for our network.
    We have one 400mbit pipe out to the internet, and all of our clients are given public-facing IPs to the internet. A caching server would be great, especially on update days. All wireless clients are on the same subnet, which is where I'd like the server to be serving the cached copies.
    I have installed Mavericks on a fresh machine, downloaded OS X Server 3.0.3, and attempted to start the caching service. This is what I get.
    Unable to start service.
    Caching cannot be run on a public network. Consult documentation.
    How can I get this up and running?

    The way the Caching server works is that the server will be accessing the Internet and when doing so traffic will be coming from it via a particular public IP address. Usually this will not be the address of the server itelf but your router as for most networks NAT is used. In this by far more common scenario the client Macs (and likely iOS devices) will be going through the same router and hence show up via the same public IP address.
    If the client request is the same as the address registered via the Caching server then Apple redirect the request via the Caching server.
    The setup would look something like this -
               Internet
                    |
                Router (with NAT)
                    |
      (LAN)     +------Caching Server-----Client devices
    With this setup because everything is using the same public IP address Apple can reasonably assume everything is on the same network and trigger a redirection to your Caching server.
    If you try a setup like the following with the Caching server having its own public IP it will not work because the Caching server and client devices will have different public IP addresses
               Internet
                   |
               Router (no NAT)-------------------+
                   |                                      |
                Firewall (with NAT)       Caching Server
                   |                                      |
                   |                                      |
    (LAN)     +-----Client devices-----------+-----------
    Your configuration as described is more like the following
               Internet
                   |
               Router (no NAT)
                   |
    (LAN)     +------Caching Server-----Client devices
    With yours not having NAT each device has its own public IP address including the Caching server and Apple cannot redirect traffic as it thinks they are on different networks.

  • [OIM] Automate AD provisioning with multiple custom rules.

    I am working on setting up provisioning automation and I'm very confused about the best way to do it.
    I need to have OIM do the following when creating an Active Directory Account
    If the user is an employee put them in container X
    if they are a contractor put them in container Y
    If they are a warehouse worker, do not give them an account
    If they are in NY, give them an account with group A
    if they are in Denver, give them group B
    and so on
    So I need to have multiple rules checked and for certain fields to get certain things based on which rules are true. Do I need separate groups and Access policies for each rule?
    Is there a way to make one collection of rules with multiple outcomes leading to multiple mappings?
    rkimbal45
    Edited by: rkimball on Jul 27, 2010 4:19 PM

    Great question but unfortunately there is no straight answer.
    Exactly what you can and should do varies depends on what tradeoffs you are ready to make in your configuration. It is very hard to give a condensed and straight answer that covers all possible configurations and gives you an overview of pros and cons.
    I wrote up a paper on this a while ago that discusses this issue at quite some length. I am posting the excerpt that discusses this specific point below but it really helps if you have the rest of the context in the document.
    Feel free to contact me through linked if you want a copy of the doc.
    Hope this helps
    /Martin
    Role based group memberships
    In some cases you have a requirement that users who fit a certain profile should be given a certain target system role. One common example would be that employees should be added to the employee group and contractors should be added to the contractor group. OIM supports this scenario through the rule, group and access policy system.
    A rule lets you specify that a user that fits a certain profile (i.e. whose userType attribute on the user form is “employee”) should become a member of a certain group. The group membership in turn triggers execution of an access policy. The policy specifies that the user should be given a certain resource object with specific configuration of process form and child form. This in turn can trigger a target system group membership update.
    This works great as long as the specifications for the rules are simple and doesn’t require usage of wildcards. If you have more advanced requirements, i.e. users with department 6200-6500 excluding 6345 should go in this group, you will end up with a lot of rules (299 to be exact). Likewise if you have more advanced requirements around what target system memberships should be given you end up with a lot of access policies. Even if you manage to implement this you can easily end up in a management nightmare with hundreds or even thousands of rules, groups and access policies.
    Another weakness is that access policies can only be used to grant one instance of a specific resource object to a specific user. This is often a crippling limitation.
    One way to escape the limitations of the rules is to use entity adapters attached on insert and update on the user form. This makes it possible to replace large number of explicit rules with a single logical expression. The downside is that the business logic is now defined in code rather than configuration. You could of course write code that loads configuration from a text file, a lookup table or an XML file but that only takes you so far.
    Likewise you can replace the access policies with entity adapters that gives out ROs according to business rules defined in the code. Eliminates some of the limitations but makes the system harder to implement and manage.

  • Access rule for Google Cloud Printer

    I want my user to access google doc, gmail account, google drive, and google cloud printer only but they dont get access to the google website.
    i make rule for it and block google search engine.
    after testing.
    google docx is accessing, gmail account is accessing and google drive is also accessing but i am not able to access google cloud printer. because google cloud printer is not a namespace
    so kindly help me out what should i do then what kind of rule i have to make so my user can also access google cloud printer. i dont want my client to access google search engine
    electrifying

    Hi,
    For this you can try creating a domain name set on the TMG server first. You can name the domain name set as "Google" for example. The entry in the domain set can be set to
    *.google.com  or the required domains . After that try creating an access rule with these properties:-
    1. From ---> Internal and Localhost
    2. To ---> Add the name of the created domain name set. (Google)
    Apply the changes and check if you are able to access the sites now.
    Check out this article : http://technet.microsoft.com/en-us/library/cc441706.aspx.
    Regards,
    Gijo

  • RV220W access rules (related to wireless deactivation)

    I would like to find a workaround in order to have an "advanced SSID scheduler" to activate wireless connections at different times depending on the day. There currently is only one single setting available, which activates a wireless network at the same time every single day, 365 days/year... Even on weekends and during the holidays.
    I actually managed to program an access rule to slightly modify this behaviour, but I can't manage to disable the signal completely, and connections are still active (on specific applications, at least), which is a real issue to me.
    This is the access rule I have currently set:
    Connection type: Outbound
    Action: Block by schedule (using a different schedule than the one set on the basic wireless settings)
    Service: Any
    Source IP: Address range (all the devices I want to control with the rule)
    Destination IP: Any
    This rule works, but when the "off" time triggers, if a device was connected on facebook Messenger or on Skype, it will keep the connection and not lose it as expected. Actually, facebook Messenger will still accept incoming messages, but won’t send outgoing messages.
    Of course, I’d like to make sure the wireless signal is completely blocked...
    Any suggestion?

    Update - I managed to get the firewall to pass the HTTPS requests by changing the remote management port to 60443 and changing the NAT rule from ANY to HTTP and adding access policies for the other ports. The problem now is that the firewall is not always passing SSH traffic.
    Intermittently the firewall accepts the SSH traffic intended to go to the xxx.xxx.xxx.219 on xxx.xxx.xxx.218.
    NAT:
    Private Range Begin: xxx.xxx.xxx.32
    Public Range Begin: xxx.xxx.xxx.219
    Range Length: 1 Service: HTTP
    ACL:
    Connection Type: Inbound > LAN
    Action: Always Allow
    Service: HTTPS
    Source IP: Any
    DNAT IP: xxx.xxx.xxx.32
    WAN IP Address: xxx.xxx.xxx.219
    Connection Type: Inbound > LAN
    Action: Always Allow
    Service: SSH
    Source IP: Any
    DNAT IP: xxx.xxx.xxx.32
    WAN IP Address: xxx.xxx.xxx.219
    I know that it is a bad idea to have SSH open on a public IP, but until I can get IPSEC VPN set up this is necessary. I'm not willing to start with the IPSEC setup until I can get the other rules to be stable.
    One nightmare at a time, please.

Maybe you are looking for