Subscribe by Email

Your email:

Most Popular Posts

Browse by Tag

Posts by Month

Follow Me

Current Articles | RSS Feed RSS Feed

Configuring a public to private ip address NAT on a Cisco RV220W

Posted by Tony DiSalvo on Tue, Mar 27, 2012 @ 08:29 AM
 

Today I got a new Cisco RV220W.  This is an exclent feature rich wireless firewall for a small business.  It supports all of our needs which include 1 to 1 public to private Network Address Transalations, VLANs, and layer 3 switching.

I am going to show you how to setup the one to one NAT rules.  This allows you to have a server on an internal network, or DMZ and tranlate the ip address to public addresses.  For this to work you need to have static public IP addresses.  This is failry common with comcast business class.

The first thing you need to do is to log into your firewall.  You can do this by entering in the private ip address of the device.  The default is 192.168.1.1.  Type in your username and password.  Always be sure to change this from the default, and then WRITE IT DOWN in a secure area. 

Login Screen resized 600

This will bring you to the default home page.  The next step is very, very important.  You must register your firewall, with each of the public IP addresses that you want to have a 1 to 1 NATing for.  This is done so that the firewall sends out an ARP to the modem, or gateway so that that device knows to route requests from the internet with those ip addresses to that device. 

On the left panel go to Networking / Want / IPv4.  In the Static IP Settings type in one of the IP addresses that you want to use for your one to one NATing.  Then Click on the Save button.

Register Public IP resized 600

You will want to wait for at least 60 seconds, or if you have an external internet conection seperate from the network you are running on, you can ping the ip address and wait until you start getting a reply. 

Once you get a reply, replace the ip address with the next ip address that you are trying to register.  Continue doing this untill all of the ip addresses that you will be NATing have been registered.  Once you are complete, set the ip address to the ip address that you will want to use to manage this device.

Now that all of the IP addresses are registered, we can move on to the NATing. 

On the left side go over to Firewall and select it.  This will expand out this selection.  Click on One to One NAT.  This will make the right panel show you the exsiting one to one NAT rules

Firewall 1to1 Nat resized 600

The right hand panel is broken up into two sections.  The One to One NAT Route Tables and the Swervices for One to one NAT tables.  The One to One NAT Route Tables define where data is comming from and going to.  The Services Table defines what services are allowed. 

As you can see there is alreay an entry in there.  We will be adding a new one.  Click on the Add button under the One to One NAT Route Tables to add a new Route.

Firewall 1to1 Nat 1 resized 600

This will open up the new NAT screen. 

In the Privatge Range Begin section, fill out the IP address of the server that you would like to be accessed over the internet.  It is a bit confusting because it says range, but we will address that latter.

In the Public Range Begin section, fill out the Public Static IP address that you want to assing to this machine. 

In the Public IP Subnet Mask, fill out this information.  Typically this is given to you by your ISP.

In the Range, select 1.  This is due to the fact that we are not trying to get a range of computers to respond, but only 1.

Click on Save.

1to1nat resized 600

This will take you back to the NAT Tables.  You should now see the Rule that you just created. Next Click on the Add button by the Services for One to One NAT Table.

1to1nat service resized 600

This will open up the list of services that you can choose from to allow. 

In the LAN Server IP address, put in the IP of the server that you want to allow traffic to and in the Services drop down select the service you want to allow.  Note, you can only allow one service per rule. 

Click OK

Services resized 600

This will take you back to the tables.  You will see the service that you just added. 

Firewall 1to1 Nat 2 resized 600

That is all there is to it.  I do see somethings that dont make much sense to me.  Like why is there a range for 1 to 1 nating but no range for the services.  You would think that you would like to allow the services, say RDP for a range on your subnet. 

Ah well that is all this week. 

UPDATE:  with Firmware 1.0.3.5!

So when Cisco changed their firmware, they also changed the interface configuration for the one to one NAT Settings. As you can see below, where before One-to-one NAT was the last option under firewall in the previous version, Cisco added a whole Advanced Settings section. One to One NAT is under this.

Not only did that change, but also the whole Custom Services Section was moved down.

 One to One NAT update 1 resized 600

So now when you want to create a custom port opening you need to go down to the Custom Services icon and click on Add.

This will open up the Custom Services Configuration screen. Fill in a Name for this service. From the drop down select a type of traffic, TCP, UDP, ICMP, ICMPv6, or Other. Based on the type of traffic fill in the ICMP type, the port range or the protocol number. Click on Save.

This now saves the configuration for later use in the Port Forwarding Section.

 Custom Servies Types resized 600

On the Custom Services Page you can see all of the services you defined.

Now let’s go to the Port Forwarding page. To add a new port forwarding rule click on Add.

This will take us to the Port Forwarding Configuration. In the Action section, select if you are trying to allow or block. Typically you are trying to allow. You also have the option to allow by schedule. We will not be digging in that deep, but it allows you to time when the ports will be accepting traffic and when they will not.

 Port Forwarding Action Configuration resized 600

Next we will select the service that we want to allow. All of the Custom Services are located at the bottom of the dropdown list.

Please note that there are a ton of pre-configured services. When speaking to the Cisco tech they stated that if the pre-configured service did not work correctly try creating a custom service.

 Port Forwarding Service Configuration resized 600

In the Source IP section, if you want traffic to be allowed from Any outside internet connection you will want to leave this at Any.

In the Destination IP address, you will want to type in the local ip address of the server that you want to forward this traffic to. Ex 192.168.1.4

In the Forward Port from and Forward Port to, I have left them as default, but you can adjust this if you want to have some sort of port translation. I feel that this adds complexity.

Click on Save to save your configuraiton.

   Port Forwarding Configuration resized 600

That is all there is to it.  The way Cisco explained it to me was that the One-to-One NAT was split from this section for better performance/management.  I was pretty confused when I saw the new interface but after working on it for a bit I see what they were going for. 

I hope this update helps you secure your internal network. 

Tags: , , , ,

Comments

Thanks for the informative article Tony. I'm curious what firmware you have in your RV220W? I have version 1.0.3.5 which appears to be the latest as of this date. On mine, the One-to-One NAT screen does not have a 'Services for one-to-one NAT rules table' that I see in your screenshot. I only have the ability to set up one service per NAT rule. I'm wondering if there is a configuration option that I may have missed to enable multiple services (ports) for each one-to-one route?
Posted @ Wednesday, April 25, 2012 9:19 AM by Jeff
Jeff, 
 
 
 
I updated the post with new info on the updated firm ware. I hope this helps.
Posted @ Wednesday, April 25, 2012 10:12 AM by Tony DiSalvo
Thanks Tony! The documentation for the firewall still referenced the old firmware for the one-to-one NAT settings, so it wasn't clear to me how to configure it for more than one service. After seeing your example, I also now see what they were going too. For opening a single port, this interface is actually nice and clean, it's just not obvious that you now need to go to another section of the menu to forward additional ports. Thanks again!
Posted @ Wednesday, April 25, 2012 3:16 PM by Jeff
OK.. Is it just me, or is there no way to put TWO or more services on the same public/private pair? I want to enable HTTP/HTTPS/FTP for the same internal address and public address. But from what I can see you only have two options. a specific port (HTTP) or ALL ports. What am I missing?
Posted @ Saturday, May 05, 2012 3:44 PM by Roy Salisbury
I want to make sure I understand your question. Becasue I think that is what I was tring to show in the section marked UPDATE: with Firmware 1.0.3.5! 
 
 
 
You have a public/private pair and you want to only enable http https and ftp, correct?  
 
 
 
You would first setup the pair in the one to one nat section and then select the default service you want to allow, say HTTP. Then you would go into the Port Forwarding Section and then create another rule to always allow, the serveice you are looking for say HTTPS, the source IP would be any because it is what ever is comming from the internet and the destination ip address would be the local IP address of your server.  
 
 
 
I know this is not very intuitvie. I think that the last frimware made it much more clear what was happening because it was all in the same section.  
 
 
 
I hope this helps.
Posted @ Monday, May 07, 2012 9:46 AM by Tony DiSalvo
OK.. I think I found an alternative. On the firewall access rules page where you would normally setup the inbound rules for the local WAN address, there is an option to specify a different WAN destination address. I put my external address there and it works just like the One-to-One mapping. And that will automatically create the port mapping as well. 
 
Too many ways to do this stuff on this router.
Posted @ Wednesday, May 09, 2012 8:41 PM by Roy Salisbury
Thanks for this great blog post! 
 
The described work-around for triggering the firewall to announce all used IP addresses to the gateways (ARP) is the only thing that bugs me a bit; don't you think that Cisco should have implement in the router's firmware to register the necessary IPs automatically with the gateway as soon as 'one-to-one-nat' is configured. Your described solution above unfortunately ceases to work nicely when the cable modem (managed by the ISP) as part of its maintenance tasks periodically clears/refreshes its ARP-cache. Any ideas to circumvent the mentioned issue are highly appreciated. 
 
regards :) 
martin
Posted @ Thursday, June 07, 2012 7:35 PM by Martin
Martin, 
 
 
 
I am sorry but I do not. That is a dilly of a pickle.  
 
 
 
I would contact Cisco support and give them a suggestion for a firmware upgrade. You have a very legitimate concern. It may take some time but I have had good luck with talking to upper level techs.
Posted @ Tuesday, June 12, 2012 3:06 PM by Tony DiSalvo
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics