Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Zyxel router Access Control log stops access

Posted on 2009-05-14
3
Medium Priority
?
1,676 Views
Last Modified: 2013-12-14
This is a P-660HW-D1.

I have enabled multi-nat, and mapped an external address to an internal one (1:1).  The internal address has a server set to respond to SSH (port 22).  A firewall rule permits any WAN address access.

From the outside, I can connect to this service, no problem.

The firewall log feature has an "Access Control" option.  If I turn this on, the above access is blocked.  Turn logging off again, it works fine.  What on earth is going on?
0
Comment
Question by:wohenben
  • 2
3 Comments
 
LVL 17

Expert Comment

by:ccomley
ID: 24393152
I've used lots of Zyxel routers - I don't  have access to one right this minute - and I can't visualise the Access Control option you speak of - can you say which menu it's on? What does the "help" page say it's for?

One "trick" you may find helpful, it used to be important on earlier firmware, though these days doesn't appear necessary, but it can't hurt to try. When you switch from SUA to Full Nat Control, as well as setting up the 1:1 you need for your server and a 1:Many for the rest of your LAN, set up a 1:1 between the router WAN address and the router LAN address.  So you have a plan something like this:-

210.121.126.1  <1:1> 192.168.1.1 (the router)
210.121.126.2  <1:1> 192.168.1.2 (your server)
210.121.126.3  <1.Many> 192.168.1.33 to 192.168.1.66 (your DHCP range)

0
 

Author Comment

by:wohenben
ID: 24397901
Thanks for the tip.  I'd already found out the first bit the hard way!
When setting a 1:1 for a server, do you also need a Server entry?  It wasn't clear from the docs if I just needed 1:1, Server, or both.

The Access Control is a check box in the log settings.  The manual doesn't say what it's for, but it seems to log matches (or mismatches) on the access control rules.

In fact I've found the problems go deeper than that.  Making even the slightest change to the address mapping rules if doing remote admin disconnects me, then I have to wait for the timeout before logging in again.
0
 

Accepted Solution

by:
wohenben earned 0 total points
ID: 24413934
Update:  I'm going to close this and re-submit as the problem seems to be different to what I initially thought.
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question