Warning: in_array() expects parameter 2 to be array, string given in /virtual/theblogs.bestsolution.at/httpd/htdocs/wp-content/plugins/google-one/google-plus-one.php on line 344

Warning: in_array() expects parameter 2 to be array, string given in /virtual/theblogs.bestsolution.at/httpd/htdocs/wp-content/plugins/google-one/google-plus-one.php on line 346

Cisco RVS4000: how to restrict access to forwarded ports


Warning: in_array() expects parameter 2 to be array, string given in /virtual/theblogs.bestsolution.at/httpd/htdocs/wp-content/plugins/google-one/google-plus-one.php on line 344

Warning: in_array() expects parameter 2 to be array, string given in /virtual/theblogs.bestsolution.at/httpd/htdocs/wp-content/plugins/google-one/google-plus-one.php on line 346

Imagine you have a firewall and want it to forward external traffic a specific internal port only if the source address matches some criteria. Easy? The requirements in question are as simple as can for a Cisco “business security gateway” – or better for absolutely any kind of “thing” claiming to function as a “firewall”.

Well, in reality accomplishing such a trivial thing can be much more difficult when you are restricted to those wonderful world of badly designed web user interfaces.

Long story short, I want to allow “external host A” to access “port 8980” on “internal host B”:

the purpose of it all

I would expect to be able to restrict port access when opening it to, but no, that would just be too easy.

The steps to allow only external host A access to the port are as follows:

First, make two “IP Based ACL” entries in the firewall configuration as shown below:

two entries required here, but still not done

The general order here is “first allow, then deny”, so the first entry allows 10.11.12.1 to access the “opennms” service (which runs at 8980). The second entry however denies anybody else on the WAN interface to access the port.

Now the final step is to actually forward the port in the “Single Port Forwarding” configuration as below:

finally forward the port

I must admit that I did not come to this solution myself, but googling around I found a thread from the Cisco support forum dealing with the issue

Once you know how to do it, it doesn’t seem too illogical, yet on the other hand, compared to what the iptables rule looks in the background and how simple I could write it on a text console (the router is Linux based!), those “simple, user friendly” web interfaces just make me mad quite often – far too often.

Spread the love

3
Leave a Reply

avatar
2 Comment threads
1 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
AnonymousUdo RaderKL Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
KL
Guest

many thanks.

found this helpful. I hate having to do all my own IT work as a small business owner but can’t afford expensive IT rates for simple things.

Udo Rader
Guest

in the light of current events just one warning: beware that the RVS 4000 has a known, critical backdoor allowing to read all configuration options including passwords, see https://github.com/elvanderb/TCP-32764.

As of now (2014-01-16), the backdoor has not been closed yet.

Anonymous
Guest
Anonymous

Issue seems to be find rigth now. From the release notes:
Fixed an issue in which an undocumented test interface in the TCP service
was listening on port 32764, allowing unauthenticated access to the device
from the LAN side.

Post Navigation