Today I got a new Cisco RV220W. This is an exclent feature rich wireless firewall for a small business. It supports all of our needs which include 1 to 1 public to private Network Address Transalations, VLANs, and layer 3 switching.
I am going to show you how to setup the one to one NAT rules. This allows you to have a server on an internal network, or DMZ and tranlate the ip address to public addresses. For this to work you need to have static public IP addresses. This is failry common with comcast business class.
The first thing you need to do is to log into your firewall. You can do this by entering in the private ip address of the device. The default is 192.168.1.1. Type in your username and password. Always be sure to change this from the default, and then WRITE IT DOWN in a secure area.
This will bring you to the default home page. The next step is very, very important. You must register your firewall, with each of the public IP addresses that you want to have a 1 to 1 NATing for. This is done so that the firewall sends out an ARP to the modem, or gateway so that that device knows to route requests from the internet with those ip addresses to that device.
On the left panel go to Networking / Want / IPv4. In the Static IP Settings type in one of the IP addresses that you want to use for your one to one NATing. Then Click on the Save button.
You will want to wait for at least 60 seconds, or if you have an external internet conection seperate from the network you are running on, you can ping the ip address and wait until you start getting a reply.
Once you get a reply, replace the ip address with the next ip address that you are trying to register. Continue doing this untill all of the ip addresses that you will be NATing have been registered. Once you are complete, set the ip address to the ip address that you will want to use to manage this device.
Now that all of the IP addresses are registered, we can move on to the NATing.
On the left side go over to Firewall and select it. This will expand out this selection. Click on One to One NAT. This will make the right panel show you the exsiting one to one NAT rules
The right hand panel is broken up into two sections. The One to One NAT Route Tables and the Swervices for One to one NAT tables. The One to One NAT Route Tables define where data is comming from and going to. The Services Table defines what services are allowed.
As you can see there is alreay an entry in there. We will be adding a new one. Click on the Add button under the One to One NAT Route Tables to add a new Route.
This will open up the new NAT screen.
In the Privatge Range Begin section, fill out the IP address of the server that you would like to be accessed over the internet. It is a bit confusting because it says range, but we will address that latter.
In the Public Range Begin section, fill out the Public Static IP address that you want to assing to this machine.
In the Public IP Subnet Mask, fill out this information. Typically this is given to you by your ISP.
In the Range, select 1. This is due to the fact that we are not trying to get a range of computers to respond, but only 1.
Click on Save.
This will take you back to the NAT Tables. You should now see the Rule that you just created. Next Click on the Add button by the Services for One to One NAT Table.
This will open up the list of services that you can choose from to allow.
In the LAN Server IP address, put in the IP of the server that you want to allow traffic to and in the Services drop down select the service you want to allow. Note, you can only allow one service per rule.
This will take you back to the tables. You will see the service that you just added.
That is all there is to it. I do see somethings that dont make much sense to me. Like why is there a range for 1 to 1 nating but no range for the services. You would think that you would like to allow the services, say RDP for a range on your subnet.
Ah well that is all this week.
UPDATE: with Firmware 126.96.36.199!
So when Cisco changed their firmware, they also changed the interface configuration for the one to one NAT Settings. As you can see below, where before One-to-one NAT was the last option under firewall in the previous version, Cisco added a whole Advanced Settings section. One to One NAT is under this.
Not only did that change, but also the whole Custom Services Section was moved down.
So now when you want to create a custom port opening you need to go down to the Custom Services icon and click on Add.
This will open up the Custom Services Configuration screen. Fill in a Name for this service. From the drop down select a type of traffic, TCP, UDP, ICMP, ICMPv6, or Other. Based on the type of traffic fill in the ICMP type, the port range or the protocol number. Click on Save.
This now saves the configuration for later use in the Port Forwarding Section.
On the Custom Services Page you can see all of the services you defined.
Now let’s go to the Port Forwarding page. To add a new port forwarding rule click on Add.
This will take us to the Port Forwarding Configuration. In the Action section, select if you are trying to allow or block. Typically you are trying to allow. You also have the option to allow by schedule. We will not be digging in that deep, but it allows you to time when the ports will be accepting traffic and when they will not.
Next we will select the service that we want to allow. All of the Custom Services are located at the bottom of the dropdown list.
Please note that there are a ton of pre-configured services. When speaking to the Cisco tech they stated that if the pre-configured service did not work correctly try creating a custom service.
In the Source IP section, if you want traffic to be allowed from Any outside internet connection you will want to leave this at Any.
In the Destination IP address, you will want to type in the local ip address of the server that you want to forward this traffic to. Ex 192.168.1.4
In the Forward Port from and Forward Port to, I have left them as default, but you can adjust this if you want to have some sort of port translation. I feel that this adds complexity.
Click on Save to save your configuraiton.
That is all there is to it. The way Cisco explained it to me was that the One-to-One NAT was split from this section for better performance/management. I was pretty confused when I saw the new interface but after working on it for a bit I see what they were going for.
I hope this update helps you secure your internal network.